diff --git a/Snapshots.md b/Snapshots.md
index 857655b..1da0943 100644
--- a/Snapshots.md
+++ b/Snapshots.md
@@ -7,6 +7,8 @@ layout: default
 
 - [Current development version](https://dafny.org/dafny)
 - [Latest release snapshot](https://dafny.org/latest)
+- [v4.10.0](https://dafny.org/v4.10.0)
+- [v4.9.1](https://dafny.org/v4.9.1)
 - [v4.8.1](https://dafny.org/v4.8.1)
 - [v4.6.0](https://dafny.org/v4.6.0)
 - [v4.5.0](https://dafny.org/v4.5.0)
diff --git a/latest/DafnyRef/Attributes.3.expect b/latest/DafnyRef/Attributes.3.expect
index 754570c..eca60fd 100644
--- a/latest/DafnyRef/Attributes.3.expect
+++ b/latest/DafnyRef/Attributes.3.expect
@@ -1,3 +1,3 @@
-text.dfy(25,14): Error: assertion might not hold
+text.dfy(25,6): Error: assertion might not hold
 
 Dafny program verifier finished with 0 verified, 1 error
diff --git a/latest/DafnyRef/Expressions.5.expect b/latest/DafnyRef/Expressions.5.expect
index c9c3ba5..ecbb16a 100644
--- a/latest/DafnyRef/Expressions.5.expect
+++ b/latest/DafnyRef/Expressions.5.expect
@@ -1,3 +1,3 @@
-text.dfy(2,11): Error: assertion might not hold
+text.dfy(2,2): Error: assertion might not hold
 
 Dafny program verifier finished with 0 verified, 1 error
\ No newline at end of file
diff --git a/latest/DafnyRef/Modules.2.expect b/latest/DafnyRef/Modules.2.expect
index a992046..a754390 100644
--- a/latest/DafnyRef/Modules.2.expect
+++ b/latest/DafnyRef/Modules.2.expect
@@ -1,4 +1,4 @@
 text.dfy(9,6): Error: value does not satisfy the subset constraints of 'nat'
-text.dfy(12,21): Error: assertion might not hold
+text.dfy(12,4): Error: assertion might not hold
 
 Dafny program verifier finished with 1 verified, 2 errors
diff --git a/latest/DafnyRef/Modules.4.expect b/latest/DafnyRef/Modules.4.expect
index 6d76343..920194d 100644
--- a/latest/DafnyRef/Modules.4.expect
+++ b/latest/DafnyRef/Modules.4.expect
@@ -1,3 +1,3 @@
-text.dfy(10,15): Error: assertion might not hold
+text.dfy(10,4): Error: assertion might not hold
 
 Dafny program verifier finished with 0 verified, 1 error
diff --git a/latest/DafnyRef/Plugins.md b/latest/DafnyRef/Plugins.md
index 6cb7c29..c044914 100644
--- a/latest/DafnyRef/Plugins.md
+++ b/latest/DafnyRef/Plugins.md
@@ -230,6 +230,6 @@ That's it! Now, build your library while inside your folder:
 > dotnet build
 ```
 
-This will create the file `PluginTutorial/bin/Debug/net6.0/PluginTutorial.dll`.
+This will create the file `PluginTutorial/bin/Debug/net8.0/PluginTutorial.dll`.
 Now, open VSCode, open Dafny settings, and enter the absolute path to this DLL in the plugins section.
 Restart VSCode, and it should work!
diff --git a/latest/DafnyRef/Statements.10.expect b/latest/DafnyRef/Statements.10.expect
index c718935..c19750c 100644
--- a/latest/DafnyRef/Statements.10.expect
+++ b/latest/DafnyRef/Statements.10.expect
@@ -1,3 +1,3 @@
-text.dfy(8,13): Error: assertion might not hold
+text.dfy(8,4): Error: assertion might not hold
 
 Dafny program verifier finished with 0 verified, 1 error
diff --git a/latest/DafnyRef/Statements.16.expect b/latest/DafnyRef/Statements.16.expect
index 6bbd3b3..971d1af 100644
--- a/latest/DafnyRef/Statements.16.expect
+++ b/latest/DafnyRef/Statements.16.expect
@@ -1,3 +1,3 @@
-text.dfy(17,10): Error: assertion might not hold
+text.dfy(17,2): Error: assertion might not hold
 
 Dafny program verifier finished with 2 verified, 1 error
diff --git a/latest/DafnyRef/Statements.3.expect b/latest/DafnyRef/Statements.3.expect
index f267a4c..ce5fed0 100644
--- a/latest/DafnyRef/Statements.3.expect
+++ b/latest/DafnyRef/Statements.3.expect
@@ -1,5 +1,5 @@
 text.dfy(12,2): Warning: this loop has no body (loop frame: i, a, $Heap)
-text.dfy(16,11): Error: assertion might not hold
-text.dfy(18,16): Error: assertion might not hold
+text.dfy(16,2): Error: assertion might not hold
+text.dfy(18,2): Error: assertion might not hold
 
 Dafny program verifier finished with 1 verified, 2 errors
diff --git a/latest/DafnyRef/Statements.5.expect b/latest/DafnyRef/Statements.5.expect
index 84d23b8..ed0077a 100644
--- a/latest/DafnyRef/Statements.5.expect
+++ b/latest/DafnyRef/Statements.5.expect
@@ -1,4 +1,4 @@
-text.dfy(2,14): Error: assertion might not hold
-text.dfy(3,11): Error: assertion might not hold
+text.dfy(2,2): Error: assertion might not hold
+text.dfy(3,2): Error: assertion might not hold
 
 Dafny program verifier finished with 0 verified, 2 errors
diff --git a/latest/DafnyRef/Statements.6.expect b/latest/DafnyRef/Statements.6.expect
index 0dcc07a..5d7469e 100644
--- a/latest/DafnyRef/Statements.6.expect
+++ b/latest/DafnyRef/Statements.6.expect
@@ -1,3 +1,3 @@
-text.dfy(2,14): Error: assertion might not hold
+text.dfy(2,2): Error: assertion might not hold
 
 Dafny program verifier finished with 0 verified, 1 error
diff --git a/latest/DafnyRef/Statements.7.expect b/latest/DafnyRef/Statements.7.expect
index 0dcc07a..5d7469e 100644
--- a/latest/DafnyRef/Statements.7.expect
+++ b/latest/DafnyRef/Statements.7.expect
@@ -1,3 +1,3 @@
-text.dfy(2,14): Error: assertion might not hold
+text.dfy(2,2): Error: assertion might not hold
 
 Dafny program verifier finished with 0 verified, 1 error
diff --git a/latest/DafnyRef/Statements.8b.expect b/latest/DafnyRef/Statements.8b.expect
index 7e599df..0732822 100644
--- a/latest/DafnyRef/Statements.8b.expect
+++ b/latest/DafnyRef/Statements.8b.expect
@@ -1,4 +1,4 @@
-text.dfy(6,12): Error: function precondition could not be proved
+text.dfy(6,13): Error: function precondition could not be proved
 text.dfy(3,30): Related location: this proposition could not be proved
 
 Dafny program verifier finished with 8 verified, 1 error
diff --git a/latest/DafnyRef/Statements.opaqueBlock.expect b/latest/DafnyRef/Statements.opaqueBlock.expect
index dd8065e..04352d3 100644
--- a/latest/DafnyRef/Statements.opaqueBlock.expect
+++ b/latest/DafnyRef/Statements.opaqueBlock.expect
@@ -1,3 +1,3 @@
-text.dfy(12,11): Error: assertion might not hold
+text.dfy(12,2): Error: assertion might not hold
 
 Dafny program verifier finished with 0 verified, 1 error
diff --git a/latest/DafnyRef/Topics.3.expect b/latest/DafnyRef/Topics.3.expect
index a5f9b7e..66c482d 100644
--- a/latest/DafnyRef/Topics.3.expect
+++ b/latest/DafnyRef/Topics.3.expect
@@ -1,3 +1,3 @@
 text.dfy(6,10): Error: the type of this variable is underspecified
-text.dfy(6,15): Error: type parameter 'T' (inferred to be '?') in the function call to 'EmptySet' could not be determined
+text.dfy(6,23): Error: type parameter 'T' (inferred to be '?') in the function call to 'EmptySet' could not be determined
 2 resolution/type errors detected in text.dfy
diff --git a/latest/DafnyRef/Types.19.expect b/latest/DafnyRef/Types.19.expect
index 1c238c3..e513b84 100644
--- a/latest/DafnyRef/Types.19.expect
+++ b/latest/DafnyRef/Types.19.expect
@@ -1,3 +1,3 @@
-text.dfy(9,11): Error: assertion might not hold
+text.dfy(9,2): Error: assertion might not hold
 
 Dafny program verifier finished with 0 verified, 1 error
diff --git a/latest/DafnyRef/Types.20.expect b/latest/DafnyRef/Types.20.expect
index b80b729..df1d037 100644
--- a/latest/DafnyRef/Types.20.expect
+++ b/latest/DafnyRef/Types.20.expect
@@ -1,5 +1,5 @@
 text.dfy(26,0): Error: a postcondition could not be proved on this return path
-text.dfy(25,10): Related location: this is the postcondition that could not be proved
+text.dfy(25,15): Related location: this is the postcondition that could not be proved
 text.dfy(10,9): Related location: this proposition could not be proved
 
 Dafny program verifier finished with 1 verified, 1 error
diff --git a/latest/DafnyRef/Types.21.expect b/latest/DafnyRef/Types.21.expect
index 6a1e2ac..22303ff 100644
--- a/latest/DafnyRef/Types.21.expect
+++ b/latest/DafnyRef/Types.21.expect
@@ -1,4 +1,4 @@
 text.dfy(8,4): Error: field 'x', which is subject to definite-assignment rules, might be uninitialized at this point in the constructor body
-text.dfy(10,13): Error: assertion might not hold
+text.dfy(10,4): Error: assertion might not hold
 
 Dafny program verifier finished with 0 verified, 2 errors
diff --git a/latest/DafnyRef/Types.25.expect b/latest/DafnyRef/Types.25.expect
index 5175bdf..9091193 100644
--- a/latest/DafnyRef/Types.25.expect
+++ b/latest/DafnyRef/Types.25.expect
@@ -1,3 +1,3 @@
-text.dfy(3,13): Error: assertion might not hold
+text.dfy(3,4): Error: assertion might not hold
 
 Dafny program verifier finished with 0 verified, 1 error
diff --git a/latest/DafnyRef/Types.7a.expect b/latest/DafnyRef/Types.7a.expect
index df622f2..126cd8b 100644
--- a/latest/DafnyRef/Types.7a.expect
+++ b/latest/DafnyRef/Types.7a.expect
@@ -1,3 +1,3 @@
-text.dfy(5,11): Error: assertion might not hold
+text.dfy(5,2): Error: assertion might not hold
 
 Dafny program verifier finished with 0 verified, 1 error
diff --git a/latest/DafnyRef/UserGuide.3.expect b/latest/DafnyRef/UserGuide.3.expect
index 28143d5..649ca8f 100644
--- a/latest/DafnyRef/UserGuide.3.expect
+++ b/latest/DafnyRef/UserGuide.3.expect
@@ -1,3 +1,3 @@
-text.dfy(7,13): Error: assertion might not hold
+text.dfy(7,4): Error: assertion might not hold
 
 Dafny program verifier finished with 0 verified, 1 error
diff --git a/latest/DafnyRef/UserGuide.4.expect b/latest/DafnyRef/UserGuide.4.expect
index 28143d5..649ca8f 100644
--- a/latest/DafnyRef/UserGuide.4.expect
+++ b/latest/DafnyRef/UserGuide.4.expect
@@ -1,3 +1,3 @@
-text.dfy(7,13): Error: assertion might not hold
+text.dfy(7,4): Error: assertion might not hold
 
 Dafny program verifier finished with 0 verified, 1 error
diff --git a/latest/DafnyRef/UserGuide.5.expect b/latest/DafnyRef/UserGuide.5.expect
index 1ffdb33..4b136e3 100644
--- a/latest/DafnyRef/UserGuide.5.expect
+++ b/latest/DafnyRef/UserGuide.5.expect
@@ -1,3 +1,3 @@
-text.dfy(6,13): Error: assertion might not hold
+text.dfy(6,4): Error: assertion might not hold
 
 Dafny program verifier finished with 0 verified, 1 error
diff --git a/latest/DafnyRef/UserGuide.md b/latest/DafnyRef/UserGuide.md
index 156cb2b..8fd4ce1 100644
--- a/latest/DafnyRef/UserGuide.md
+++ b/latest/DafnyRef/UserGuide.md
@@ -2732,7 +2732,7 @@ If you have Boogie installed locally, you can run the printed Boogie file with t
 DOTNET=$(which dotnet)
 
 BOOGIE_ROOT="path/to/boogie/Source"
-BOOGIE="$BOOGIE_ROOT/BoogieDriver/bin/Debug/net6.0/BoogieDriver.dll"
+BOOGIE="$BOOGIE_ROOT/BoogieDriver/bin/Debug/net8.0/BoogieDriver.dll"
 
 if [[ ! -x "$DOTNET" ]]; then
     echo "Error: Dafny requires .NET Core to run on non-Windows systems."
@@ -2769,7 +2769,7 @@ The following options are also commonly used:
   but a large positive number reports more errors per run
 
 * `--verification-time-limit:<n>` (was `-timeLimit:<n>`) - limits 
-  the number of seconds spent trying to verify each procedure.
+  the number of seconds spent trying to verify each assertion batch.
 
 
 ### 13.9.11. Controlling test generation {#sec-controlling-test-gen}
diff --git a/latest/DafnyRef/integration-java/IntegrationJava.md b/latest/DafnyRef/integration-java/IntegrationJava.md
index cbbaffc..fe1321d 100644
--- a/latest/DafnyRef/integration-java/IntegrationJava.md
+++ b/latest/DafnyRef/integration-java/IntegrationJava.md
@@ -218,3 +218,6 @@ Often this requires defining a Dafny class that corresponds to the Java class.
 the Dafny-generated (Java) types and the types used in the desired method.
 The wrapper will do appropriate conversions and call the desired method.
 
+## Performance notes
+
+If you have the choice, given a `m: map<K, V>`, prefer iterating over the map itself like `forall k <- m` rather than over the keys `forall k <- m.Keys`. The latter currently results in `O(N²)` steps, whereas the first one remains linear.
diff --git a/latest/HowToFAQ/Errors-Resolver2.md b/latest/HowToFAQ/Errors-Resolver2.md
index 8fd0c83..ae80406 100644
--- a/latest/HowToFAQ/Errors-Resolver2.md
+++ b/latest/HowToFAQ/Errors-Resolver2.md
@@ -168,7 +168,7 @@ and optimizing tail-recursion opportunities in mutually recursive functions.
 ```dafny
 function {:tailrecursion} f(n: nat): nat
 {
-  if n == 0 then n else var ff := f; ff(n-1)
+  if n == 0 then n else var r := f(n-1); r
 }
 ```
 
diff --git a/latest/Installation.md b/latest/Installation.md
index edecd0f..991e4b0 100644
--- a/latest/Installation.md
+++ b/latest/Installation.md
@@ -15,7 +15,7 @@ are in the [Dafny project wiki](https://github.com/dafny-lang/dafny/wiki/INSTALL
 System Requirements
 ===================
 
-The `dafny tool` is a .NET 6.0 artifact, but it compiles to native executables on supported platforms.
+The `dafny tool` is a .NET 8.0 artifact, but it compiles to native executables on supported platforms.
 That and the Z3 tool are all that is needed to use dafny for verification; additional tools are 
 need for compilation, as described below.
 
@@ -41,7 +41,7 @@ In addition, the Dafny toolkit supplies runtime libraries, either in source form
 ### C#
 
 - Dafny targeting C# produces C#10-compatible source code.
-- Only the .NET 6.0 set of tools (which includes the C# compiler) is needed to compile and run the generated C# code.
+- Only the .NET 8.0 set of tools (which includes the C# compiler) is needed to compile and run the generated C# code.
 - The Dafny runtime library is included as C# source along with the generated C# code, so the user can compile those sources
 and any user code in one project.
 
@@ -86,9 +86,9 @@ For most users, we recommend using Dafny with VS Code, which has an easy install
 ## Visual Studio Code {#Visual-Studio-Code}
 
 0. Install [Visual Studio Code](https://code.visualstudio.com/)
-1. If you are on a Mac or Linux, install .NET 6.0, as described under those platforms below.  
+1. If you are on a Mac or Linux, install .NET 8.0, as described under those platforms below.
 2. In Visual Studio Code, press `Ctrl+P` (or `⌘P` on a Mac), and enter `ext install dafny-lang.ide-vscode`.
-3. If you open a `.dfy` file, Dafny VSCode will offer to download and install the latest Dafny. You can also browse extensions: 
+3. If you open a `.dfy` file, Dafny VSCode will offer to download and install the latest Dafny. You can also browse extensions:
   ![vs-code-dafny-2 0 1-install](https://user-images.githubusercontent.com/3601079/141353551-5cb5e23b-5536-47be-ba17-e5af494b775c.gif)
 
 ## Emacs {#Emacs}
@@ -118,7 +118,7 @@ install the correct dependencies for the desired language.
 
 To install Dafny on your own machine, 
 
-* Install (if not already present) .NET Core 6.0: `https://dotnet.microsoft.com/download/dotnet/6.0`
+* Install (if not already present) .NET Core 8.0: `https://dotnet.microsoft.com/download/dotnet/8.0`
 * Download the windows zip file from the [releases page](https://github.com/dafny-lang/dafny/releases/latest) and **save** it to your disk. 
 * Then, **before you open or unzip it**, right-click on it and select Properties; at the bottom of the dialog, click the **Unblock** button and then the OK button. 
 * Now, open the zip file and copy its contents into a directory on your machine. (You can now delete the zip file.)
@@ -130,7 +130,7 @@ Then:
 ## Linux (Binary) {#linux-binary}
 
 To install a binary installation of dafny on Linux (e.g., Ubuntu), do the following:
-* Install .NET 6.0. See: `https://docs.microsoft.com/dotnet/core/install/linux` or `sudo apt install dotnet-sdk-6.0`
+* Install .NET 8.0. See: `https://docs.microsoft.com/dotnet/core/install/linux` or `sudo apt install dotnet-sdk-8.0`
 * Install the Linux binary version of Dafny, from `https://github.com/dafny-lang/dafny/releases/latest`
 * Unzip the downloaded file in a (empty) location of your choice
 
@@ -165,7 +165,7 @@ After the compiler dependencies are installed, you can run a quick test of the i
 
 The .NET [NuGet](https://www.nuget.org/) repository collects .NET libraries and tools for easy installation. Dafny is available on NuGet, and can be installed as follows:
 
-* Install .NET 6.0 as described for your platform in one of the subsections above.
+* Install .NET 8.0 as described for your platform in one of the subsections above.
 * Install a binary version of Z3 4.12.1 for your platform from its [GitHub releases page](https://github.com/Z3Prover/z3/releases/tag/Z3-4.12.1) and put the `z3` executable in your `PATH`.
 * Install Dafny using `dotnet tool install --global dafny` (or leave out the `--global` to use with `dotnet tool run` from the source directory of a .NET project).
 
@@ -181,10 +181,10 @@ Additional instructions are found in the [Dafny User Guide](DafnyRef/DafnyRef#se
 
 ### C# (.Net)
 
-Install .NET 6.0:
-* Windows) `https://dotnet.microsoft.com/download/dotnet/6.0`
-* Linux) Install .NET 6.0. See: `https://docs.microsoft.com/dotnet/core/install/linux` or `sudo apt install dotnet-sdk-6.0`
-* Mac) Install .NET 6.0: `brew install dotnet-sdk` or from `https://docs.microsoft.com/dotnet/core/install/macos`
+Install .NET 8.0:
+* Windows) `https://dotnet.microsoft.com/download/dotnet/8.0`
+* Linux) Install .NET 8.0. See: `https://docs.microsoft.com/dotnet/core/install/linux` or `sudo apt install dotnet-sdk-8.0`
+* Mac) Install .NET 8.0: `brew install dotnet-sdk` or from `https://docs.microsoft.com/dotnet/core/install/macos`
 
 
 To separately compile and run your program for .NET:
diff --git a/latest/OnlineTutorial/Modules.1.expect b/latest/OnlineTutorial/Modules.1.expect
index ac319c2..7eaa7bd 100644
--- a/latest/OnlineTutorial/Modules.1.expect
+++ b/latest/OnlineTutorial/Modules.1.expect
@@ -1,4 +1,4 @@
-text.dfy(27,23): Error: assertion might not hold
-text.dfy(37,23): Error: assertion might not hold
+text.dfy(27,4): Error: assertion might not hold
+text.dfy(37,4): Error: assertion might not hold
 
 Dafny program verifier finished with 5 verified, 2 errors
diff --git a/latest/OnlineTutorial/Modules.5.expect b/latest/OnlineTutorial/Modules.5.expect
index d09a073..18a41e0 100644
--- a/latest/OnlineTutorial/Modules.5.expect
+++ b/latest/OnlineTutorial/Modules.5.expect
@@ -1,3 +1,3 @@
-text.dfy(13,21): Error: assertion might not hold
+text.dfy(13,4): Error: assertion might not hold
 
 Dafny program verifier finished with 2 verified, 1 error
diff --git a/latest/OnlineTutorial/Sets.1.expect b/latest/OnlineTutorial/Sets.1.expect
index 26247f3..1f7b778 100644
--- a/latest/OnlineTutorial/Sets.1.expect
+++ b/latest/OnlineTutorial/Sets.1.expect
@@ -1,3 +1,3 @@
-text.dfy(4,41): Error: assertion might not hold
+text.dfy(4,2): Error: assertion might not hold
 
 Dafny program verifier finished with 0 verified, 1 error
diff --git a/latest/OnlineTutorial/guide.10.expect b/latest/OnlineTutorial/guide.10.expect
index e714f86..6a7d67a 100644
--- a/latest/OnlineTutorial/guide.10.expect
+++ b/latest/OnlineTutorial/guide.10.expect
@@ -1,14 +1,14 @@
 text.dfy(7,0): Error: a postcondition could not be proved on this return path
+text.dfy(4,12): Related location: this is the postcondition that could not be proved
+text.dfy(7,0): Error: a postcondition could not be proved on this return path
 text.dfy(5,23): Related location: this is the postcondition that could not be proved
 text.dfy(7,0): Error: a postcondition could not be proved on this return path
 text.dfy(6,22): Related location: this is the postcondition that could not be proved
-text.dfy(7,0): Error: a postcondition could not be proved on this return path
-text.dfy(4,12): Related location: this is the postcondition that could not be proved
+text.dfy(16,0): Error: a postcondition could not be proved on this return path
+text.dfy(13,12): Related location: this is the postcondition that could not be proved
 text.dfy(16,0): Error: a postcondition could not be proved on this return path
 text.dfy(14,23): Related location: this is the postcondition that could not be proved
 text.dfy(16,0): Error: a postcondition could not be proved on this return path
 text.dfy(15,22): Related location: this is the postcondition that could not be proved
-text.dfy(16,0): Error: a postcondition could not be proved on this return path
-text.dfy(13,12): Related location: this is the postcondition that could not be proved
 
 Dafny program verifier finished with 0 verified, 6 errors
diff --git a/latest/OnlineTutorial/guide.12.expect b/latest/OnlineTutorial/guide.12.expect
index 1c238c3..e513b84 100644
--- a/latest/OnlineTutorial/guide.12.expect
+++ b/latest/OnlineTutorial/guide.12.expect
@@ -1,3 +1,3 @@
-text.dfy(9,11): Error: assertion might not hold
+text.dfy(9,2): Error: assertion might not hold
 
 Dafny program verifier finished with 0 verified, 1 error
diff --git a/latest/OnlineTutorial/guide.7.expect b/latest/OnlineTutorial/guide.7.expect
index d3fa2cb..a2e5589 100644
--- a/latest/OnlineTutorial/guide.7.expect
+++ b/latest/OnlineTutorial/guide.7.expect
@@ -1,3 +1,3 @@
-text.dfy(14,11): Error: assertion might not hold
+text.dfy(14,2): Error: assertion might not hold
 
 Dafny program verifier finished with 1 verified, 1 error
diff --git a/latest/OnlineTutorial/guide.8.expect b/latest/OnlineTutorial/guide.8.expect
index 0fb9e44..791d7d9 100644
--- a/latest/OnlineTutorial/guide.8.expect
+++ b/latest/OnlineTutorial/guide.8.expect
@@ -1,3 +1,3 @@
-text.dfy(11,11): Error: assertion might not hold
+text.dfy(11,2): Error: assertion might not hold
 
 Dafny program verifier finished with 1 verified, 1 error
diff --git a/latest/OnlineTutorial/guide.9.expect b/latest/OnlineTutorial/guide.9.expect
index 02e9574..29cca6b 100644
--- a/latest/OnlineTutorial/guide.9.expect
+++ b/latest/OnlineTutorial/guide.9.expect
@@ -1,3 +1,3 @@
-text.dfy(10,11): Error: assertion might not hold
+text.dfy(10,2): Error: assertion might not hold
 
 Dafny program verifier finished with 1 verified, 1 error
diff --git a/latest/Snapshots.md b/latest/Snapshots.md
index 857655b..1da0943 100644
--- a/latest/Snapshots.md
+++ b/latest/Snapshots.md
@@ -7,6 +7,8 @@ layout: default
 
 - [Current development version](https://dafny.org/dafny)
 - [Latest release snapshot](https://dafny.org/latest)
+- [v4.10.0](https://dafny.org/v4.10.0)
+- [v4.9.1](https://dafny.org/v4.9.1)
 - [v4.8.1](https://dafny.org/v4.8.1)
 - [v4.6.0](https://dafny.org/v4.6.0)
 - [v4.5.0](https://dafny.org/v4.5.0)
diff --git a/latest/VerificationOptimization/VerificationOptimization.md b/latest/VerificationOptimization/VerificationOptimization.md
index aa83919..c38198e 100644
--- a/latest/VerificationOptimization/VerificationOptimization.md
+++ b/latest/VerificationOptimization/VerificationOptimization.md
@@ -608,6 +608,27 @@ As a general rule, designing a program from the start so that it can be broken i
 
 * Break methods up into smaller pieces, as well. Because methods are always opaque, this will, in many cases, require adding a contract to each broken-out method. To make this more tractable, consider abstracting the concepts used in those contracts into separate functions, some of which may be opaque.
 
+# Verification fine-tuning
+
+## Conjunction vs. Nested ifs
+
+We have witnessed cases where the following code:
+```dafny
+    if (a && b) {
+        assert true;
+    }
+```
+verifies slower than
+```dafny
+    if (a) {
+        if (b) {
+            assert true;
+        }
+    }
+```
+This is because the well-formedness of `&& b` adds an extra proof obligation, which is empty in this case but not trimmed, so there is an extra `if (a) {}` in the encoding.
+Therefore, for verification performance, the nested ifs _could_ verify faster, and we have witnessed one case where it does. In other cases, this difference in translation might trigger butterfly effects and uncover brittleness.
+
 # Summary
 
 When you're dealing with a program that exhibits high verification variability, or simply slow or unsuccessful verification, careful encapsulation and information hiding combined with hints to add information in the context of difficult constructs is frequently the best solution. Breaking one large definition with extensive contracts down into several, smaller definitions, each with simpler contracts, can be very valuable. Within each smaller definition, a few internal, locally-encapsulated hints can help the prover make effective progress on goals it might be unable to prove in conjunction with other code.
diff --git a/latest/index.html b/latest/index.html
index 7f704bf..e42a74e 100644
--- a/latest/index.html
+++ b/latest/index.html
@@ -31,6 +31,7 @@ <h2>Quick Links</h2>
 <ul>
 <li><a href="./Installation"><b>Installation</b></a>
      (or a <a href="https://marketplace.visualstudio.com/items?itemName=dafny-lang.ide-vscode">VSCode plugin for Dafny</a>)</li>
+<li><a href="https://dafny.zulipchat.com/" target="_blank" rel="noopener noreferrer">Zulip channel</a> to ask questions about Dafny</li>
 <li><a href="./DafnyRef/DafnyRef">Dafny Reference Manual and User Guide</a></li>
 <li><a href="./toc">Dafny Resources for Users</a></li>
 <li><a href="https://github.com/dafny-lang/dafny">Dafny GitHub project (for developers of the Dafny tools themselves)</a></li>
diff --git a/latest/news/6006.fix b/latest/news/6006.fix
new file mode 100644
index 0000000..33dd67b
--- /dev/null
+++ b/latest/news/6006.fix
@@ -0,0 +1 @@
+Fix soundness bug that could occur for opaque blocks with empty modifies clauses
\ No newline at end of file
diff --git a/latest/news/6028.feat b/latest/news/6028.feat
new file mode 100644
index 0000000..2bfb795
--- /dev/null
+++ b/latest/news/6028.feat
@@ -0,0 +1 @@
+Change the default value for --verification-time-limit to 30 seconds instead of 0 (no limit)
\ No newline at end of file
diff --git a/latest/news/fix.3809 b/latest/news/fix.3809
new file mode 100644
index 0000000..177fb99
--- /dev/null
+++ b/latest/news/fix.3809
@@ -0,0 +1 @@
+Fix C#, Java and Go generated code when a datatype contains a method named 'Default'
diff --git a/latest/news/fix.5746 b/latest/news/fix.5746
new file mode 100644
index 0000000..19e1b00
--- /dev/null
+++ b/latest/news/fix.5746
@@ -0,0 +1 @@
+Fix C# generated code when a module contains a type with the same name
diff --git a/latest/news/fix.6014 b/latest/news/fix.6014
new file mode 100644
index 0000000..614d71f
--- /dev/null
+++ b/latest/news/fix.6014
@@ -0,0 +1 @@
+Fix Java generated code when a module contains a type with the same name
diff --git a/v4.10.0/.gitignore b/v4.10.0/.gitignore
new file mode 100644
index 0000000..2c8497e
--- /dev/null
+++ b/v4.10.0/.gitignore
@@ -0,0 +1,7 @@
+**/.DS_Store
+_site
+.sass-cache
+.jekyll-cache
+.jekyll-metadata
+vendor
+DafnyRefZ.md
diff --git a/v4.10.0/Compilation/AutoInitialization.md b/v4.10.0/Compilation/AutoInitialization.md
new file mode 100644
index 0000000..48eaabf
--- /dev/null
+++ b/v4.10.0/Compilation/AutoInitialization.md
@@ -0,0 +1,541 @@
+---
+title: Automatic Initialization of Variables
+---
+
+Automatic Initialization of Variables
+=====================================
+
+Dafny is a type-safe language, which primarily means that every use of a _variable_
+(local variable, parameter, bound variable, object field, or array element)
+evaluates to a value of the variable's type. The type checker and verifier together
+enforce that each value assigned to a variable is indeed a value of that variable's
+type. Since the type of a variable never changes, this ensures type safety, provided
+a variable is assigned before it is used. But what about any uses before then?
+
+If a variable is used before it has been assigned, Dafny still--in certain situations,
+like for array elements or when a variable is explicitly assigned `*`--arranges for
+the variable to be initialized with _some_ value of the variable's type.
+To accomplish this, the compiler needs to have the ability to emit an expression that
+produces a value of a given type. This is possible for many, but not all, types.
+
+This document describes for which types the compiler can produce initializing
+expressions and the mechanism used for doing so.
+
+Types
+-----
+
+Dafny supports the following kinds of types:
+
+* primitive types (`int`, `real`, `bool`, `char`, bitvectors of any width, and `ORDINAL`)
+* `newtype`s (these are distinct numeric types, whose values of mimic those of the given
+  numeric base type, or possibly a subset thereof)
+* possibly-null reference types (classes, arrays of any dimension, traits)
+* type parameters
+* collection types (sets, multisets, sequences, and maps)
+* datatypes and co-datatypes
+* arrow types (first-class function values of any arity)
+* subset types (a subset type of a base type `B` has a subset of the values of `B`; this
+  subset is characterized by a constraint on `B`)
+
+In addition, there are _type synonyms_ (which are just that--synonyms for other types) and
+_abstract types_ (which cannot be compiled, so they don't play a role here).
+
+Notes:
+* `nat` is a built-in subset type of `int`
+* `string` is a built-in type synonym for `seq<char>`
+* tuple types are built-in datatypes
+* iterators give rise to class types
+* collection types, datatypes, co-datatypes, arrow types, reference types, and subset
+  types can have type parameters
+* every possibly-null reference type `R?` has a corresponding non-null type `R`,
+  predefined as the subset type `type R = r: R? | r != null`
+* every arrow type `AA ~> B` (partial, heap-reading functions from the list of type `AA`
+  to the type `B`) has a built-in subset type `AA --> B` (partial functions from `AA`
+  to `B`), which in turn has a built-in subset `AA -> B` (total functions from `AA` to
+  `B`)
+
+Compilation of types
+--------------------
+
+The compilation of types involves several notions, defined here.
+
+The _target type_ of a Dafny type `T` is the target-language type used to represent `T`.
+The target type may not be unique to one Dafny type; in other words, several Dafny
+types may compile to the same target type.
+
+type                            | C# target type
+--------------------------------|---------------------------------------------------
+`int`                           | `BigInteger`
+`real`                          | `BigRational`
+`bool`                          | `bool`
+`char`                          | `char` (for `/unicodeChar:0`)<br>`Rune` (for `/unicodeChar:1`)
+bitvectors                      | `byte`, `ushort`, `uint`, `ulong`, or `BigInteger`
+`ORDINAL`                       | `BigInteger`
+integer-based `newtype`         | bounded C# integer or `BigInteger`
+real-based `newtype`            | `BigRational`
+`trait Tr`                      | interface `Tr`
+`class Cl`                      | class `Cl`
+`array<T>`, `array2<T>`, ...    | `T[]`, `T[,]`, ...
+type parameter `T`              | `T`
+collection type                 | `ISet<T>`, `IMultiset<T>`, `ISequence<T>`, `IMap<T, U>`
+datatype or co-datatype `D`     | interface of class `D`
+`TT ~> U`                       | `System.Func<TT, U>`
+subset type for a base type `B` | `B`
+
+The compilation of a type may emit some fields and methods that are used at run time.
+These are emitted into a _companion class_. In some cases, the companion class is the
+same as the target type, in some other case the companion class is a separate class,
+and in other cases there is no companion class at all.
+
+type                            | companion class
+--------------------------------|---------------------------------------------------
+`int`                           | none
+`real`                          | none
+`bool`                          | none
+`char`                          | none
+bitvectors                      | none
+`ORDINAL`                       | none
+`newtype` `T`                   | `T`
+`trait Tr`                      | `_Companion_Tr`
+`class Cl`                      | `Cl`
+`array<T>`, `array2<T>`, ...    | none
+type parameter `T`              | none
+collection type                 | `Set<T>`, `Multiset<T>`, `Sequence<T>`, `Map<T, U>`
+datatype or co-datatype `D`     | class `D`
+`TT ~> U`                       | none
+subset type `T`                 | `T`
+
+Types can have type parameters. For a target language that supports type parameters, each
+_formal_ type parameter is compiled into a corresponding formal type parameter in the target
+language, and each _actual_ type argument is compiled to that type's target type.
+
+Because target types are not unique, the type arguments passed as required by the target
+language do not carry all information that is needed about the type at run time.
+Therefore, the Dafny compiler augments the target language's type parameters by a
+system of _type descriptors_. These are described in a section below.
+
+Type descriptors are passed only for type parameters that bear the Dafny type characteristic
+`(0)`. Such type parameters are called _auto-init type parameters_.
+
+For inductive datatypes, the compiler uses one more notion of types, namely the
+_used type parameters_. This refers to those type parameters that play a role in the
+creation of a value of the datatype's "grounding constructor", explained below.
+
+Auto-init types
+---------------
+
+A type is called an _auto-init type_ if it is legal for a program to use a variable of
+that type before the variable has been initialized (or, for local variables, if the
+variable has only been assigned `*`).
+
+For example, `char` is an auto-init type. Therefore, the following is a legal program
+snippet:
+
+    var ch: char := *;
+    print ch, "\n";  // this uses ch at a time when ch has only been assigned *
+    var arr: array<char> := new char[100];
+    print arr[5], "\n";  // this uses arr[5] before ch has been explicitly assigned
+
+A compiler is permitted to assign _any_ value to `ch`, so long as that value is of
+type `char`. In fact, the compiler is free to emit code that chooses a different
+initial value each time this program snippet is encountered at run time. In other words,
+the language allows the selection of the values to be nondeterministic.
+
+The purpose of this document is to describe how the common compilers implement
+the auto-init feature. It will be convenient (and, for this particular compiler, accurate)
+to speak of each type as having a _default value_. However, please note that this
+terminology is specific to an implementation of a compiler--the Dafny _language_ itself
+does not have a notion of specific a "default value" of any type, not even for auto-init
+types.
+
+Default-valued expressions
+--------------------------
+
+To fabricate default values, the compiler emits a _default-valued expression_.
+A default-valued expression is simply an expression that evaluates to a default value
+for the type.
+
+type                                             | default-valued expression
+-------------------------------------------------|------------------------------------------
+`int`                                            | `BigInteger.Zero`
+`real`                                           | `BigRational.ZERO`
+`bool`                                           | `false`
+`char`                                           | `D` (because `\0` is not visible when printed as part of a string, so `D` leads to fewer surprises)
+bitvectors                                       | `0` or `BigInteger.Zero`
+`ORDINAL`                                        | `BigInteger.Zero`
+integer-based `newtype` without `witness` clause | same as for base type, cast appropriately
+real-based `newtype` without `witness` clause    | same as for base type, cast appropriately
+`newtype` `NT` with `witness` clause             | `NT.Witness`
+possibly-null reference types                    | `null`
+non-null array types                             | array of the appropriate type with every dimension having length 0
+type parameter `T`                               | `td_T.Default()`
+collection type `C<TT>`                          | `C<TT>.Empty`
+datatype or co-datatype `D<TT>`                  | `D<TT>.Default(E, ...)`
+`TT ~> U`                                        | `null`
+`TT --> U`                                       | `null`
+subset type without `witness` clause             | same as for base type
+subset type `S<TT>` with `witness` clause        | `S<TT>.Default()`
+
+Other types do not have default-valued expressions.
+
+Here are some additional explanations of the table:
+
+## Subset types
+
+In a subset type with a `witness` clause, like
+
+    type S<TT> = x: B | E witness W
+
+the witness is used as the default value. It is returned by the `Default()` method that is emitted
+in the companion class of the subset type:
+
+```
+public static B Default() {
+  return W;
+}
+```
+
+If the subset type has no type parameters, then the witness is pre-computed and reused:
+
+```
+private static readonly B Witness = W;
+public static B Default() {
+  return Witness;
+}
+```
+
+Note that a witness is used as the default value only if the type has a `witness` clause; if
+the type has no `witness` clause or if it has a `ghost witness` clause, then the default expression
+is that of the base type.
+
+## Newtypes
+
+As for subset types, when a `newtype` has a `witness` clause, the witness expression is used as the
+default value of the type. However, since a `newtype` does not have any type parameters, the value
+is always pre-computed into a (public) `Witness` field, and that field is used as the default-valued
+valued expression of the type. That is, no `Default()` method is generated.
+
+```
+public static readonly B Witness = W;
+```
+
+## (Co-)datatypes
+
+Each datatype and co-datatype has a _grounding constructor_. For a `datatype`, the grounding
+constructor is selected when the resolver ascertains that the datatype is nonempty. For a
+`codatatype`, the selection of the grounding constructor lacks sophistication--it is just the
+first of the given constructors. (Note, the grounding constructor might be ghost.)
+
+If the datatype is not an auto-init type, then there's nothing more to say about its default
+value. If it is an auto-init type, then the following explanations apply.
+
+The default value of a (co-)datatype is this grounding constructor, called with values
+for its parameters:
+
+    DT<TT>.create_GroundingCtor(E, ...)
+
+This value is produced by the `Default(...)` method emitted by the compiler into the type's
+companion class:
+
+```
+public static DT<TT> Default(T e, ...) {
+  return create_GroundingCtor(E, ...);
+}
+```
+
+The parameters to this `Default` method are the default values for each of the type parameters
+used by the grounding constructor. (If the datatype's type parameters include some auto-init
+type parameters, then type descriptors for them are also passed in to both `Default` and
+`create_GroundingCtor`, not illustrated in the example just shown. More about such type descriptors
+in a section below.)
+
+If the (co-)datatype has no type parameters (note: that is, no type parameters at all--the
+"used parameters" are not involved here), then the default value is pre-computed and reused:
+
+```
+private readonly DT _Default = create_GroundingCtor();
+public static DT Default() {
+  return _Default;
+}
+```
+
+## Type parameters
+
+If a type parameter `T` is an auto-init type parameter (that is, if it has been declared
+with the `(0)` type characteristic), then the context in the target code will contain a
+parameter or field named `td_T`. This is the type descriptor associated with `T`, as described
+in the next section, and calling `Default()` on it yields a value of the type that `T` stands for.
+
+Type descriptors
+----------------
+
+To obtain default values of certain type parameters, the compiler emits _run-time type descriptors_
+(or just _type descriptors_ for short). A type descriptor has the ability to produce a
+default value for the type that the type parameter represents.
+
+```
+public class TypeDescriptor<T>
+{
+  private readonly T initValue;
+  public TypeDescriptor(T initValue) {
+    this.initValue = initValue;
+  }
+  public T Default() {
+    return initValue;
+  }
+}
+```
+
+For example, consider a Dafny program where `G` is a type parameter that represents an auto-init type.
+For an uninitialized local variable of type `G`, the compiler will assign the default value
+
+    td_G.Default()
+
+where `td_G` is type descriptor for `G`. (More on where `td_G` comes from below.)
+
+The following table shows the type descriptors for the various types:
+
+type                                             | type descriptor
+-------------------------------------------------|------------------------------------------
+`int`                                            | `Dafny.Helpers.INT`
+`real`                                           | `Dafny.Helpers.REAL`
+`bool`                                           | `Dafny.Helpers.BOOL`
+`char`                                           | `Dafny.Helpers.CHAR`
+bitvectors                                       | `Dafny.Helpers.{UINT8, UINT16, UINT32, UINT64, INT}`
+`ORDINAL`                                        | `Dafny.Helpers.INT`
+`newtype` `NT`                                   | `NT._TypeDescriptor()`
+possibly-null reference type `T`                 | `Dafny.Helpers.NULL<T>()`
+type parameter `T`                               | `td_T`
+collection type `C<TT>`                          | `C<TT>._TypeDescriptor()`
+datatype or co-datatype `D`                      | `D._TypeDescriptor(typeDescriptors, ...)`
+arrow type `T`                                   | `Dafny.Helpers.NULL<T>()`
+subset type `S`                                  | `D._TypeDescriptor(typeDescriptors, ...)`
+
+## Primitive types
+
+The type descriptors for primitive types are defined in the `Dafny.Helpers` class:
+
+```
+public static readonly TypeDescriptor<bool> BOOL = new TypeDescriptor<bool>(false);
+public static readonly TypeDescriptor<char> CHAR = new TypeDescriptor<char>('D');
+public static readonly TypeDescriptor<BigInteger> INT = new TypeDescriptor<BigInteger>(BigInteger.Zero);
+public static readonly TypeDescriptor<BigRational> REAL = new TypeDescriptor<BigRational>(BigRational.ZERO);
+
+public static readonly TypeDescriptor<byte> UINT8 = new TypeDescriptor<byte>(0);
+public static readonly TypeDescriptor<ushort> UINT16 = new TypeDescriptor<ushort>(0);
+public static readonly TypeDescriptor<uint> UINT32 = new TypeDescriptor<uint>(0);
+public static readonly TypeDescriptor<ulong> UINT64 = new TypeDescriptor<ulong>(0);
+```
+
+## Newtypes
+
+The type descriptor for a `newtype` `NT` is given by the static `_TypeDescriptor` method that
+the compiler emits into the companion class for `NT`.
+
+```
+private static readonly Dafny.TypeDescriptor<B> _TYPE = new Dafny.TypeDescriptor<B>(Dve);
+public static Dafny.TypeDescriptor<B> _TypeDescriptor() {
+  return _TYPE;
+}
+```
+
+where `B` is the target type of `NT`,
+and `Dve` is the default-valued expression for `NT` (`Witness` or some form of `0` or `0.0`).
+
+## Reference types
+
+The type descriptor for possibly-null reference types is given by the following method in
+`Dafny.Helpers`:
+
+```
+public static TypeDescriptor<T> NULL<T>() where T : class {
+  return new TypeDescriptor<T>(null);
+}
+```
+
+## Collection types
+
+Type descriptors for collection types are provided by the `_TypeDescriptor()` method in
+the type's companion class. In each case, the quantity returned is a value computed once
+and for all into a static field.
+
+For each collection class (for example, `set<T>`), the companion class (`Set<T>` for
+`set<T>`) contains the following field and method:
+
+```
+private static readonly TypeDescriptor<B> _TYPE = new Dafny.TypeDescriptor<B>(Empty);
+public static TypeDescriptor<B> _TypeDescriptor() {
+  return _TYPE;
+}
+```
+
+where `B` denotes the target type of the collection type (`ISet<T>` for `set<T>`).
+
+## Datatypes and co-datatypes
+
+For any (co-)datatype `D<TT>`, the companion class for `D<TT>` declares:
+
+```
+public static Dafny.TypeDescriptor<D<TT>> _TypeDescriptor(Dafny.TypeDescriptor<T> _td_T, ...) {
+  return new Dafny.TypeDescriptor<D<TT>>(Default(_td_T, ...));
+}
+```
+
+where the list of type parameters denoted by `T, ...` are the "used" type parameters from `TT`.
+
+## Subset types
+
+The companion class of a subset type `S<TT>` contains a method `_TypeDescriptor` that returns
+a type descriptor for `S<TT>`.
+
+```
+public static Dafny.TypeDescriptor<B> _TypeDescriptor(TypeDescriptor<T> td_T, ...) {
+  return new Dafny.TypeDescriptor<B>(Dve);
+}
+```
+
+where the list of type parameters denoted by `T, ...` consists of the auto-init type parameters from `TT`,
+`B` is the target type of `S<TT>`, and
+`Dve` is the default-valued expression for `S<TT>`.
+
+If `S` has no type parameters, then the value returned by `_TypeDescriptor` is pre-computed
+and reused:
+
+```
+private static readonly Dafny.TypeDescriptor<B> _TYPE = new Dafny.TypeDescriptor<B>(Dve);
+public static Dafny.TypeDescriptor<B> _TypeDescriptor() {
+  return _TYPE;
+}
+```
+
+## Type parameters
+
+Finally, type parameters. These are the most involved.
+For each formal auto-init type parameter `T`, there is an associated type descriptor named
+`td_T` (of type `Dafny.TypeDescriptor<T>`). What exactly `td_T` is depends on both the
+parent declaration of `T` and the context of use.
+
+### Type parameters of a method or function
+
+If `T` is a type parameter of a method or function, then `td_T` is simply an additional
+parameter to the method or function.
+
+For example, a method `method M<T(0)>(x: int)` is compiled into
+
+```
+void M<T>(Dafny.TypeDescriptor<T> td_T, BigInteger x)
+```
+
+### Type parameters of a class
+
+If `T` is a type parameter of a class, then `td_T` is a field of the target type. Its
+value is given by a parameter to the target-type constructor.
+
+For example, for
+
+```
+class Cl<T(0)> {
+  constructor Init(x: int) { ... }
+  ...
+}
+```
+
+the target type will be
+
+```
+class Cl<T> {
+  private Dafny.TypeDescriptor<T> td_T;
+  public Cl(Dafny.TypeDescriptor<T> td_T) {
+    this.td_T = td_T;
+  }
+  public void Init(x: BigInteger) { ... }
+  ...
+}
+```
+
+### Type parameter of a (co-)datatype
+
+If `T` is a type parameter of a (co-)datatype, then `td_T` is a field of the object
+representing each (co-)datatype value.
+
+### Type parameter of a `newtype`
+
+Newtypes don't take type parameters.
+
+### Type parameters of a trait
+
+To obtain type descriptors in function and method implementations that are given
+in a trait, the function or method definition compiled into the companion class
+takes additional parameters that represent type descriptors for the type parameters
+of the trait.
+
+### Type parameter of a class, trait, (co-)datatype, or abstract type used in a static method or static function
+
+In C#, the type parameters of a class are available in static methods. However,
+any type descriptors of the class are stored in instance fields, since the target
+types are not unique. The instance fields are not available in static methods, so
+the static methods need to take the type descriptors as parameters.
+
+For example, the class
+
+```
+class Class<A(0)> {
+  static method M(x: int)
+}
+```
+
+is compiled into
+
+```
+class Class<A> {
+  Dafny.TypeDescriptor<A> td_A;
+  ...
+  static method M(Dafny.TypeDescriptor<A> td_A, BigInteger x)
+}
+```
+
+Type parameters and type descriptors for each type
+--------------------------------------------------
+
+In the following table, the rows show instance and static members (`const`/`function`/`method`) of
+the types that support members. The type is shown with a type parameter `A(0)` (except `newtype`,
+which doesn't take any type parameters). Each member is also shown with a type parameter `B(0)`
+(except `const`, which doesn't take any type parameters).
+
+For some target languages, the target type for traits does not allow implementations. In those
+cases, the target type has a signature for the member and the implementation is relegated to
+the companion class. This is reflected in the table by having two rows for instance members of
+traits.
+
+For each row, the "TP" column shows which of the Dafny type parameters contribute to the type
+parameters in the target language, and the "TD" column shows which of the Dafny type parameters
+contribute to the type descriptors in the target code.
+
+If `A` is missing from a "TP" column, it means that either the type parameter is available from
+the enclosing type or the target language doesn't support type parameters. If `A` is missing from
+a "TD" column, it means that the type descriptor is available via the receiver `this`.
+
+                                    | C#        | Java      | JavaScript | Go        |
+TYPE                                | TP  | TD  | TP  | TD  | TP  | TD   | TP  | TD  |
+------------------------------------|-----|-----|-----|-----|-----|------|-----|-----|
+`newtype`
+  instance member `<B(0)>`          | B   | B   | B   | B   |     | B    |     | B   |
+  static member `<B(0)>`            | B   | B   | B   | B   |     | B    |     | B   |
+`datatype<A(0)>`
+  instance member `<B(0)>`          | B   | B   | B   | B   |     | B    |     | B   |
+  static member `<B(0)>`            | B   | A,B | A,B | A,B |     | A,B  |     | A,B |
+`trait<A(0)>`
+  instance member `<B(0)>`          | B   | B   | B   | B   |     | B    |     | B   |
+  instance member `<B(0)>` rhs/body | B   | A,B | A,B | A,B |     | A,B  |     | A,B |
+  static member `<B(0)>`            | B   | A,B | A,B | A,B |     | A,B  |     | A,B |
+`class<A(0)>`
+  instance member `<B(0)>`          | B   | B   | B   | B   |     | B    |     | B   |
+  static member `<B(0)>`            | B   | A,B | A,B | A,B |     | A,B  |     | A,B |
+
+*) type descriptors for functions don't actually seem necessary (but if functions have them,
+then const's need them, too)
+
+If a type parameter among `A` and `B` does not have the `(0)` characteristic, then it is dropped
+from the TD column.
+
+This table is implemented in the `TypeArgDescriptorUse` method in the compiler.
diff --git a/v4.10.0/Compilation/Boogie.md b/v4.10.0/Compilation/Boogie.md
new file mode 100644
index 0000000..b219dba
--- /dev/null
+++ b/v4.10.0/Compilation/Boogie.md
@@ -0,0 +1,27 @@
+---
+title: Dafny compilation to Boogie
+---
+
+# Dafny compilation to Boogie
+
+## `{:opaque} attribute`
+
+During verification in Boogie, all functions are given an extra first parameter, which is the _fuel_ (represented in Boogie by unary numbers, e.g. `$LS($LS($LZ)`) is a fuel of two).
+To unroll a function, axioms ensure that a recursive call is provided with the current fuel minus 1, so that we don't unroll undefinitely.
+
+**Normal behavior:** When verifying a method or a function, Dafny will look at every `assert`. If it finds one, every function call inside it will use a fuel argument of at least 2 (`$LS($LS($LZ))`), meaning the verifier will be able to unroll the function's body twice for this assertion. When this assertion is proven, Dafny provides an `assume` about the result, but in this case the functions are provided a fuel of only 1 (`$LS($LZ)`), meaning it unrolls the body only once.
+
+**Opaque behavior:** When Dafny sees an `{:opaque}` attribute on a function `foo`, Dafny declares to Boogie two unknown constants `StartFuel_f` and `StartFuelAssert_f`. It uses `StartFuelAssert_f` in lieu of the default fuel (`$LS($LS($LZ))`) in the context of `assert` statements or expressions, and `StartFuel_f` in lieu of the default fuel (`$LS($LZ)`) in the context of the `assume` that immediately follows the `assert`. These two constants don't have any axioms so, by default, the verifier is unable to unroll the functions and they behave like uninterpreted functions.
+
+**Reveal lemma:** Every statement (or part of expression) `reveal foo(), bar();` is translated to calls to lemmas `reveal_foo(); reveal_bar();`.
+Such lemmas are defined in Dafny and with special attribute provide the postcondition that 1) `StartFuel_f` is `$LS(MoreFuel_f)` (where `MoreFuel_f` is an declared constant without axiom), and `StartFuelAssert_f` is `$LS($LS(MoreFuel_f))`. This makes the call to a function the same as if it was not opaque.
+
+```dafny
+  lemma {:axiom} {:opaque_reveal} {:auto_generated} {:fuel foo,1,2} reveal_foo()
+```
+
+The `{:fuel foo,1,2}` annotation in Dafny corresponds to the Boogie equivalent of:
+```
+ensures StartFuel_f = $LS(MoreFuel_f)
+ensures StartFuelAssert_f = $LS($LS(MoreFuel_f))
+```
diff --git a/v4.10.0/Compilation/Go.md b/v4.10.0/Compilation/Go.md
new file mode 100644
index 0000000..5b254c1
--- /dev/null
+++ b/v4.10.0/Compilation/Go.md
@@ -0,0 +1,567 @@
+---
+title: Dafny compilation to Go
+---
+
+Dafny compilation to Go
+=======================
+
+This documentation is intended primarily to help with writing Go code that makes
+use of code generated from Dafny.  The emphasis is therefore on features visible
+to the user of the module.
+
+Note: Identifiers
+-----------------
+
+As much as possible, identifiers in generated code include underscores in their
+names.  Therefore, to avoid namespace collisions, **avoid using underscores in
+names in Dafny code** if you anticipate compiling to Go.
+
+Top-Level Structure
+-------------------
+
+Unlike C# and JavaScript, Go imposes strict requirements on modules and file
+structure.  As it is not possible to put a multi-package Go program into one
+file, a whole directory structure is produced alongside the original `.dfy`
+file.  For a Dafny source file `Example.dfy` which doesn't define any modules,
+the structure will look like so:
+
+  - `Example-go`: The top level, to which `GOPATH` is set in order to run the
+    program.
+    - `src`: All source files are placed here.
+      - `Example.go`: A stub which calls the Main method in `module_/module_go`.
+      - `module_/module_.go`: The main module.
+      - `dafny/dafny.go`: The Dafny run-time library.
+      - `System_/System_.go`: Additional definitions for built-in types.
+
+Each Dafny module will be placed in a package named after the module, in a file
+such as `Module/Module.go`.  If the module's name begins with an underscore
+(such as in the `_module` and `_System` modules), the filename will move the
+underscore to the end.  (Go ignores any file whose name starts with an
+underscore.)
+
+Anything declared outside of a module will end up in the default module, called
+`_module`.
+
+Predefined Types
+----------------
+
+| Dafny         | Go                |                                   |
+| :------------ | :---------------- | :-------------------------------- |
+| `bool`        | `bool`            |
+| `int`         | `_dafny.Int`      | Immutable wrapper for `*big.Int`  |
+| `bv`          | `_dafny.BV`       | Synonym of `_dafny.Int`           |
+| `real`        | `_dafny.Real`     | Immutable wrapper for `*big.Real` |
+| `char`        | `_dafny.Char` (`/unicodeChar:0`)<br> `_dafny.CodePoint` (`/unicodeChar:1`) | Defined as `rune`                 |
+| `string`      | `_dafny.Seq`      |
+| `object`      | `*interface{}`    |
+| `array<X>`    | `*_dafny.Array`   |
+| `A -> B`      | `func(A) B`       |
+| `seq<X>`      | `_dafny.Seq`      |
+| `set<X>`      | `_dafny.Set`      |
+| `multiset<X>` | `_dafny.MultiSet` |
+| `map<X, Y>`   | `_dafny.Map`      |
+
+Here `big` refers to the Go built-in bignum library `"math/big"`.
+
+Note that nullable Dafny types (`object` and `array<X>`) are modelled as pointer
+types in Go so that they have the distinguished value `nil` (to which `null`
+translates). In Go, each pointer type has its own `nil` value; that is, `nil`
+is typed to a specific pointer type (see also discussion of `nil` in the
+section on [Traits](#traits) below).
+
+Classes
+-------
+
+Instance members of classes are described in docs/Compilation/ReferenceTypes.md.
+
+Basic class functionality is mapped onto Go structs.  An instance field becomes
+a field in the struct, and an instance method becomes a method of that struct.
+
+```dafny
+class Class {
+  var x: int
+  constructor(x: int) {
+    this.x := x;
+    ...
+  }
+  method Frob(z: string, c: Class) returns (a: int, b: char) {
+    ...
+  }
+}
+```
+
+```go
+type Class struct {
+  X _dafny.Int
+}
+
+func (_this *Class) Ctor__(x: _dafny.Int) {
+  _this.X = x
+  ...
+}
+
+func (_this *Class) Frob(z dafny.Seq, c *Class) (_dafny.Int, _dafny.Char) {
+  ...
+}
+```
+
+**Caution:** Constant fields are represented as normal fields in generated Go
+code.  There is no enforcement mechanism.  Be careful!
+
+Note that the method has a pointer receiver, and the parameter type `Class` is
+translated as the pointer type `*Class`. Objects are always translated as
+pointers, including in receiver types, since (a) they're mutable in general,
+(b) they may be nullable, and (c) it's necessary for our implementation of
+inheritance (see [Traits](#traits)).
+
+Note also that the constructor becomes a regular method called `Ctor__` taking
+an already-allocated value as its receiver.
+
+Finally, all field and method names are capitalized so that they are exported
+from the defining module.
+
+### Initializers
+
+In addition to any constructors, each class also has an *initializer* which
+allocates an object, with all fields given the default values for their types.
+The initializer will be called <code>New_*Class*_</code>:
+
+```go
+func New_Class_() *Class {
+  _this := Class{}
+
+  _this.X = _dafny.Zero
+  _this.Y = _dafny.ZeroReal
+
+  return &_this
+}
+```
+
+Note that the initializer is *not* a constructor.  Dafny constructors translate
+to instance methods which are passed the output of the initializer.
+
+(The translation currently uses `Class{}` and then a separate assignment
+statement for each field, rather than putting the field values in the braces,
+for internal reasons involving type parameters.)
+
+### Static Members
+
+Go doesn't have static members *per se*.  Typical Go code uses the module, not
+the type, as the organizing structure, with supporting functions and variables
+exported from the same module as the type itself.  Thus it's tempting simply to
+translate static fields as global variables and static methods as non-method
+functions.  Unfortunately, this invites namespace collisions, as two classes in
+the same module can happily use the same name for a static member.  Therefore
+(borrowing from Scala terminology) we declare a *companion object* called
+`Companion_`*`Class`*`_` for each class:
+
+```dafny
+class Class {
+  var x: int
+  static const y = 42.0;
+  static method Frob(z: string, c: Class) returns (a: int, b: char) {
+    ...
+  }
+}
+```
+
+```go
+type Class struct {
+  X _dafny.Int
+}
+
+type CompanionStruct_Class_ struct {
+  Y _dafny.Real
+}
+var Companion_Class_ = CompanionStruct_Class_ {
+  Y: _dafny.RealOfString("42.0")
+}
+
+func (_this *CompanionStruct_Class_) Frob(z _dafny.Seq, c *Class) (_dafny.Int, _dafny.Char) {
+  ...
+}
+```
+
+## The Default Class
+
+All methods are represented as being members of some class.  Top-level methods,
+then, are static methods of the *default class,* called `Default__`.
+
+```dafny
+method Main() {
+  print "Hello world!\n";
+}
+```
+
+```go
+type Default__ struct {
+}
+
+type CompanionStruct_Default___ {
+}
+var Companion_Default___ = CompanionStruct_Default___{}
+
+func (_this *CompanionStruct_Default___) Main() {
+  _dafny.Print(_dafny.SeqOfString("Hello world!"))
+}
+```
+
+Traits
+------
+
+Instance members of traits are described in docs/Compilation/ReferenceTypes.md.
+
+### nil
+
+A class or array type is compiled into a _pointer type_ in Go. This means it
+includes the Go value `nil`. A trait is compiled into a Go _interface_. Abstractly,
+an interface value is either `nil` or a (value, type) pair. This means that
+the Dafny `null` value for a trait may be represented either as the Go
+interface value `nil` or a pair (`nil`, class pointer type).
+
+For instance, consider the following program:
+
+```dafny
+trait Trait { }
+class Class extends Trait { }
+method TestNil() {
+  var c: Class? := null;
+  var t: Trait? := null;
+  var u: Trait? := c;
+  var w := c == c;
+  var x := t == c;
+  var y := t == t;
+  var z := t == u;
+}
+```
+
+This Dafny program sets all of `c`, `t`, and `u` to `null`, and therefore
+also sets all four boolean variables to `true`. A simplified version of the target
+code in Go for this program is:
+
+```go
+type Trait interface {
+}
+type Class struct {
+  dummy byte
+}
+func TestNil() {
+  var c *MyClass
+  c = (*MyClass)(nil)  // c becomes nil of the pointer type *MyClass
+  var t MyTrait
+  t = (MyTrait)(nil)   // t becomes nil of interface type MyTrait
+  var u MyTrait
+  u = c                // u becomes (nil, *MyClass)
+
+  var w bool
+  w = c == c
+  var x bool
+  x = _dafny.AreEqual(t, c)
+  var y bool
+  y = _dafny.AreEqual(t, t)
+  var z bool
+  z = _dafny.AreEqual(t, u)
+}
+```
+
+As illustrated in this example, values of Dafny class types can be compared directly
+with `==` in Go, but values of other Dafny reference types need to be compared
+by the runtime function `_dafny.AreEqual`, which handles the two representations of
+`null`.
+
+Datatypes
+---------
+
+### Inductive
+
+Each inductive datatype is implemented as a struct that embeds an interface:
+
+```dafny
+datatype List = Nil | Cons(head: int, tail: List)
+```
+
+```go
+type List struct {
+  Data_List_
+}
+
+type Data_List_ interface {
+  isList()
+}
+```
+
+We could simply declare `List` as an interface type and be rid of `Data_List_`,
+but then we could not give `List` concrete methods.  The interface's `isList()`
+method is simply a marker to make sure no-one tries to pass off a type from
+another module as a `List`.
+
+Each constructor is a struct that implements the interface, along with a
+constructor function:
+
+```go
+type List_Nil struct {}
+func (List_Nil) isList() {}
+func Create_Nil_() List {
+  return List{List_Nil{}}
+}
+
+type List_Cons struct{
+  head _dafny.Int
+  tail List
+}
+func (List_Cons) isList() {}
+func Create_Cons_(head _dafny.Int, tail List) List {
+  return List{List_Cons{head, tail}}
+}
+```
+
+Constructor-check predicates operate using type assertions:
+
+```go
+func (_this List) Is_Nil() bool {
+  _, ok := _this.(List_Nil)
+  return ok
+}
+
+func (_this List) Is_Cons() bool {
+  _, ok := _this.(List_Cons)
+  return ok
+}
+```
+
+A destructor corresponding to only one constructor is implemented using a type
+assertion:
+
+```go
+func (_this List) Dtor_head() _dafny.Int {
+  return _this.(List_Cons).head
+}
+
+func (_this List) Dtor_tail() List {
+  return _this.(List_Cons).tail
+}
+```
+
+If multiple constructors share a destructor, its implementation will use a
+`switch` on the data struct's type.
+
+### Coinductive
+
+A coinductive datatype has a data struct like that of an inductive datatype, but
+the datatype itself is implemented as yet another interface:
+
+```dafny
+codatatype Stream = Next(shead: int, stail: Stream)
+```
+
+```go
+type Stream struct {
+  Iface_Stream_
+}
+
+type Iface_Stream_ {
+  Get() Data_Stream_
+}
+```
+
+Then, in addition to the usual constructors, a lazy constructor is provided:
+
+```go
+func (CompanionStruct_Stream_) Lazy_Stream_(f func () Stream) Stream {
+  ...
+}
+```
+
+The implementation allocates a value of the non-exported `lazyStream` type,
+which implements `Get()` by calling `f` once then caching the returned value for
+subsequent `Get()`s.
+
+Type Parameters
+---------------
+
+Go doesn't have parameteric polymorphism, so parameterized types are implemented
+by erasure: the Go type of a value whose type is a parameter is always
+`interface{}`.  The compiler takes care of inserting the necessary type
+assertions.
+
+For example:
+
+```dafny
+function method Head<A>(xs: seq<A>): A requires |xs| > 0 {
+  xs[0]
+}
+```
+
+```go
+func Head(xs _dafny.Seq) interface{} { ... }
+```
+
+(Here `Head` is actually a method of the default class's companion object, so it
+should have a receiver of type `CompanionStruct_Default___`; we've
+omitted this and other details for clarity throughout this section.)
+
+Any sequence has the same type `_dafny.Seq`, and the `Head` function's signature
+says it takes any sequence and may return any value.  Calls therefore often
+require type assertions:
+
+```dafny
+var xs: seq<int> := ...;
+var x: int := Head(xs);
+```
+
+```go
+xs := ...
+x := Head(xs).(_dafny.Int)
+```
+
+In more complex situations, it is necessary to retain type information that
+would otherwise be erased.  For example:
+
+```dafny
+method GetDefault<A(0)>() returns (a: A) { }
+```
+
+Here we cannot simply compile `Default` with type `func() interface{}`—what
+would it return?  Thus the compiled method takes a *run-time type descriptor*
+(RTD) as a parameter:
+
+```go
+func GetDefault(A _dafny.Type) interface{} {
+  var a interface{} = A.Default()
+  return a
+}
+```
+
+The `_dafny.Type` type is a simple interface; currently its only purpose is to
+allow for zero initialization in precisely such cases as these:
+
+```go
+type Type interface {
+  Default() interface{}
+}
+```
+
+Each compiled class or datatype comes with a function called
+<code>Type_*Class*_</code> that takes a `_dafny.Type` for each type parameter
+and returns the `_dafny.Type` for the class or datatype.
+
+Iterators
+---------
+
+An iterator is translated as a class with a `MoveNext()` method, as in Dafny.
+The constructor fires off a goroutine for the body of the iterator.  As
+goroutines are lightweight, this should not impose too much overhead.  One
+caveat as that we have to use a finalizer to end the goroutine early if the
+iterator is garbage-collected, as otherwise the goroutine stays live
+indefinitely, leaking any memory it holds onto.  Because of the way finalizers
+are invoked, however, the memory retained by the iterator cannot be reclaimed
+until the GC *after* the iterator itself is collected.  In the worst case,
+several iterators could be chained together, therefore taking n GC cycles to
+clean up n iterators.
+
+Externs
+-------
+
+Dafny code may freely interoperate with existing Go code using `{:extern}`
+declarations.  This may include both pre-existing Go modules and modules written
+specifically to interact with compiled Dafny code.
+
+Go modules to be included as part of the compiled code should be passed as
+additional arguments on the Dafny command line.
+
+An `{:extern}` declaration on a module indicates that the module is
+external—either one that was passed on the command line or one from a
+pre-existing package.
+
+```dafny
+module {:extern "os"} OS { }
+```
+
+```go
+import "os"
+```
+
+Import statements are automatically inserted in the default module and in
+subsequent (non-extern) modules (this may produce problems; see
+[this TODO item](#extern-always-imported)).
+
+As a special case, types and values in the built-in top-level scope in Go can be
+accessed by passing the empty string as the package name (see the next example).
+Such a declaration does not generate an `import` statement.
+
+An interface can be imported in Dafny code by declaring it as a trait with an
+`{:extern}` annotation:
+
+```dafny
+module {:extern ""} Builtins {
+  trait {:extern} error {
+    method {:extern} Error() returns (s : string)
+  }
+}
+```
+
+Similarly, a class with methods can be imported, and a top-level function can
+be imported as a module-level method:
+
+```dafny
+module {:extern "bufio"} BufIO {
+  class {:extern} Scanner {
+    method {:extern} Scan() returns (ok: bool)
+    method {:extern} Text() returns (text: string)
+  }
+
+  method {:extern} NewScanner(r: OS.Reader) returns (s: Scanner)
+}
+```
+
+The alert reader may notice here that the `Reader` interface belongs to the `io`
+package, not `os`.  Unfortunately, extern modules must abide by Dafny's
+restriction that a class can only extend a trait in its own module.  In Go
+terms, then, we can't directly express that a struct in one module implements
+an interface from another one.
+
+Fortunately, there is a “cheat”:
+
+```dafny
+module {:extern "io"} IO { }
+
+module {:extern "os"} OS {
+  import Builtins
+
+  trait {:extern "io", "Reader"} Reader { }
+  class {:extern} File extends Reader { }
+  method {:extern} Open(name: string) returns (file:File, error: Builtins.error?)
+}
+```
+
+Here we declare an empty module for `io` just to be sure that `io` gets
+imported.  Then we use a special two-argument `{:extern}` form that specifies
+that `Reader` actually lives in the `io` namespace.  Dafny will understand that
+we can call `Open` and use the `File` returned as a `Reader`.
+
+TODO
+----
+
+  - [ ] There isn't always enough run-time type information to determine whether
+    a sequence is a string (that is, a `seq<char>`).  In particular, a value
+    created as a `seq<A>` will always be output as a sequence of individual `A`
+    values rather than as a string, even if `A` is `char` for a particular
+    invocation.
+
+  - [ ] <a id="extern-always-imported"></a>Currently
+    it is assumed that, once an `extern` module is declared, every
+    subsequent Dafny module (plus the default module) imports it.  If a module
+    does not, the Go compiler will complain about an unused import.  To avoid
+    this, it suffices to declare a dummy variable of a type exported by that
+    module or a dummy function that calls a function exported by it.
+
+  - [ ] All symbols are exported from all modules (by capitalizing their names).
+    There isn't yet a way to hide internal fields, methods, etc.
+
+  - [ ] Coercion to and from native datatypes currently only happens for method
+    calls, not field accesses.
+
+  - [ ] Go implements a `switch` on a type as a linear search.  There are a few
+    places where we switch on the type of a datatype value's data struct.  It
+    would probably be better to replace these by separate implementations of
+    functions.
diff --git a/v4.10.0/Compilation/ReferenceTypes.md b/v4.10.0/Compilation/ReferenceTypes.md
new file mode 100644
index 0000000..ee15aa3
--- /dev/null
+++ b/v4.10.0/Compilation/ReferenceTypes.md
@@ -0,0 +1,696 @@
+---
+title: Dafny compilation of trait and class
+---
+
+Dafny compilation of trait and class
+====================================
+
+This document describes the compilation of `trait` and `class` declarations.
+Specifically, the document addresses
+
+* `trait` and `class` declarations with type parameters and `extends` clauses
+* instance members of those declarations
+* compilation into the target languages C#, Java, JavaScript, and Go
+
+The document does not include descriptions of
+
+* `static` members
+* `:extern` declarations
+* how to translate a method with multiple out-parameters into languages that support
+  only one (Java and JavaScript)
+
+Member declarations
+-------------------
+
+For the purpose of compilation, there are eight kinds of member declarations:
+
+* Mutable fields:
+  `var a: X`
+* Immutable fields:
+  `const c: X`
+* Immutable fields with a right-hand side (RHS):
+  `const d: X := E`
+* Body-less functions:
+  `function method F<U>(x: X): Y`
+* Functions with an implementation:
+  `function method G<U>(x: X): Y { E }`
+* Body-less methods:
+  `method M<U>(x: X) returns (y: Y)`
+* Methods with an implementation:
+  `method N<U>(x: X) returns (y: Y) { S }`
+* Constructors:
+  `constructor Ctor(x: X) { S }`
+
+Here and throughout, `X` and `Y` denote any types, `E` denotes
+an expression, and `S` denotes a statement.
+
+Preliminaries
+-------------
+
+## Target languages
+
+When speaking in general terms about the target language, this document uses
+words like "interface", "class", and "static", but meaning the target-language
+equivalent of those. Such an "interface" is like a `trait` in Dafny, but with
+no fields and no implementations.
+
+## Type descriptors
+
+The compilation of (non-reference) Dafny types to target types is many-to-one.
+For example, a subset type
+```dafny
+type Odd = x: int | x % 2 == 1
+```
+
+compiles to the same thing as the base type `int` does. For this reason,
+Dafny adds _run-time type descriptors_, which lets these types be distinguished
+at run time. The primary purpose of this is to be able to find a "default"
+value of a type parameter at run time. Not all type parameters need a corresponding
+type descriptor, but the sections below show them everywhere. The name
+`RTD` is used to denote the type of the type descriptors.
+
+## Outline
+
+The rest of this document presents, in order, the compilation of:
+
+* members for simple traits (no parent traits)
+* members for simple classes (no parent traits)
+* members inherited from parent traits
+* constructor bodies (in classes)
+
+Compilation of traits
+---------------------
+
+Consider a trait declared as
+```dafny
+trait Trait<V> {
+  var a: X
+  const c: X
+  const d: X := E
+  function method F<U>(x: X): Y
+  function method G<U>(x: X): Y { E }
+  method M<U>(x: X) returns (y: Y)
+  method N<U>(x: X) returns (y: Y) { S }
+}
+```
+
+Note that a trait does not have any constructors.
+
+A trait gets compiled into one interface and one "companion" class. Using a
+Dafny-like syntax, the target of the compilation is:
+```dafny
+interface Trait<V> {
+  function method a(): X
+  method set_a(value: X)
+  function method c(): X
+  function method d(): X
+  function method F<U>(rtdU: RTD, x: X): Y
+  function method G<U>(rtdU: RTD, x: X): Y
+  method M<U>(rtdU: RTD, x: X) returns (y: Y)
+  method N<U>(rtdU: RTD, x: X) returns (y: Y)
+}
+
+class Companion_Trait<V> {
+  static function method d(rtdV: RTD, _this: Trait<V>) { E }
+  static function method G<U>(rtdV: RTD, rtdU: RTD, _this: Trait<V>, x: X): Y { E }
+  static method N<U>(rtdV: RTD, rtdU: RTD, _this: Trait<V>, x: X) returns (y: Y) { S }
+}
+```
+There is no subtype relation between `Trait` and `Companion_Trait`.
+The companion class is used only as a "home" for the static methods.
+
+For any member with an implementation (`d`, `G`, and `N`), there is both a declaration
+in the interface and a corresponding definition in the companion class. The implementation
+(RHS or body) of the member is compiled into the latter.
+
+The functions and methods in the interface take a type descriptor for `U`, but not for
+`V`. This is because type descriptors of the receiver object are supplied at the time
+the object is created. In contrast, the implementations in the companion class
+do take a type descriptor for `V`, because any type descriptors of the receiver will
+be stored in the receiver in terms of the type parameters of the receiver's class.
+
+Note: Evidently, type parameters of the trait (or class) are not in scope in
+the RHS a `const` declaration. That is probably a bug. If this changes, then
+method `d` in the companion class also needs to take type-descriptor parameters.
+
+Note: Evidently, a `const` without a RHS in a trait is not allowed to be overridden (to
+be given a RHS). That restriction was probably necessary under the previous encoding, but
+it isn't anymore. It would be good to remove this restriction.
+
+## C#
+
+C# supports _properties_. Such a property is a pair of methods: a getter and a(n optional) setter.
+Dafny compiles a mutable trait field into a property with a getter and setter, and compiles
+an immutable field into a property with just a getter.
+
+The immutable field `d` with a RHS still gets translated into a static function in the companion
+class, since it is a static function with an parameter called `_this`.
+
+The C# target code uses some features of reflection instead of using explicit type-descriptor
+parameters.
+```
+interface Trait<V> {
+  property a: X { get; set; }
+  property c: X { get; }
+  property d: X { get; }
+  function method F<U>(x: X): Y
+  function method G<U>(x: X): Y
+  method M<U>(x: X) returns (y: Y)
+  method N<U>(x: X) returns (y: Y)
+}
+
+class Companion_Trait<V> {
+  static function method d(_this: Trait<V>) { E }
+  static function method G<U>(_this: Trait<V>, x: X): Y { E }
+  static method N<U>(_this: Trait<V>, x: X) returns (y: Y) { S }
+}
+```
+## Java
+
+A static method in Java cannot use the type parameters of the enclosing class. Therefore,
+the companion class for Java instead adds these type parameter to the method.
+```java
+interface Trait<V> {
+  function method a(): X
+  method set_a(value: X)
+  function method c(): X
+  function method d(): X
+  function method F<U>(rtdU: RTD, x: X): Y
+  function method G<U>(rtdU: RTD, x: X): Y
+  method M<U>(rtdU: RTD, x: X) returns (y: Y)
+  method N<U>(rtdU: RTD, x: X) returns (y: Y)
+}
+
+class Companion_Trait {
+  static function method d<V>(rtdV: RTD, _this: Trait<V>) { E }
+  static function method G<V, U>(rtdV: RTD, rtdU: RTD, _this: Trait<V>, x: X): Y { E }
+  static method N<V, U>(rtdV: RTD, rtdU: RTD, _this: Trait<V>, x: X) returns (y: Y) { S }
+}
+```
+
+## JavaScript
+
+Being a dynamicly typed language, objects in JavaScript are built by creating members during
+object construction. This flexibility means that body-less definitions don't generate
+any code.
+
+A trait gives rise to just one main type, which is a JavaScript class. It serves the purpose
+of the companion class.
+
+Finally, since JavaScript is dynamicly typed, the language does not require (or support) type
+parameters. However, compilation still generates type descriptors.
+
+The result is thus organized as follows:
+```
+class Trait {
+  static function method d(rtdV, _this) { E }
+  static function method G(rtdV, rtdU, _this, x) { E }
+  static method N(rtdV, rtdU, _this, x) { S }
+}
+```
+
+The members without implementations (`a`, `c`, `F`, and `M`) are during object construction,
+as described in a later section.
+
+## Go
+
+Go has no type parameters, so those are replaced by the empty interface type.
+```
+interface Trait {
+  function method a(): X
+  method set_a(value: X)
+  function method c(): X
+  function method d(): X
+  function method F(rtdU: RTD, x: X): Y
+  function method G(rtdU: RTD, x: X): Y
+  method M(rtdU: RTD, x: X) returns (y: Y)
+  method N(rtdU: RTD, x: X) returns (y: Y)
+}
+
+class Companion_Trait {
+  static function method d(_this: Trait) { E }
+  static function method G(rtdV: RTD, rtdU: RTD, _this: Trait, x: X): Y { E }
+  static method N(rtdV: RTD, rtdU: RTD, _this: Trait, x: X) returns (y: Y) { S }
+}
+```
+
+Compilation of class members
+----------------------------
+
+Consider a class declared as
+```dafny
+class Class<V> {
+  var a: X
+  const c: X
+  const d: X := E
+  function method G<U>(x: X): Y { E }
+  method N<U>(x: X) returns (y: Y) { S }
+}
+```
+
+Constructors of the class are considered in a later section. Note that all functions and
+methods of a class to be compiled have bodies.
+
+A class gets compiled into one target class. Using a Dafny-like syntax, the target of
+the compilation is:
+```
+class Class<V> {
+  var _rtdV: RTD
+  var a: X
+  var _c: X
+  function method c(): X { _c }
+  function method d(): X { E }
+  function method G<U>(rtdU: RTD, x: X): Y { E }
+  method N<U>(rtdU: RTD, x: X) returns (y: Y) { S }
+}
+```
+
+The type descriptor for `V` is passed into the constructor (not shown here, but see
+a later section) and stored in the field `_rtdV`. The functions and methods in the class
+take a type descriptor for `U` and access `_rtdV` via the receiver object.
+
+The value of the immutable field `c` is computed in the constructor (not shown here)
+and therefore needs to be stored. For this purpose, the target class uses a backing
+field `_c`, which is returned by the function `c()`.
+
+Design alternative: Immutable field `d` does not need a backing store, since its value
+is an expression that can easily be compiled to be evaluated each time the field is
+accessed. An alternative would be to nevertheless introduce a backing store for it.
+That would cost additional space in each object, but would avoid re-evaluating the
+RHS `E` and would make the treatment of `c` and `d` more uniform. A possible advantage
+of the current design is that it gives a way in a Dafny program to select between
+the backing-stored constant and a re-evaluate constant (an argument that doesn't
+apply to immutable fields inherited from traits).
+
+Design alternative: Instead of using a backing store for immutable fields, the target
+class could just declare these as fields. This would be more straightforward, though
+it would requires storage in every object and wouldn't offer the possibility of
+letting a Dafny program select between backing store and re-evaluation.
+
+Note: Evidently, type parameters of the trait (or class) are not in scope in
+the RHS a `const` declaration. That is probably a bug. If this changes, then
+method `d` above also needs to take type-descriptor parameters. The type descriptors
+must be initialized before an other initializing expression needs them.
+
+## C#
+
+The compilation to C# does not use type descriptors, so the `_rtdV` field is not
+present and neither are the type-descriptor parameters.
+
+The functions for retrieving `c` and `d` are declared as getter properties.
+```
+class Class<V> {
+  var a: X
+  var _c: X
+  property c: X { get { _c } }
+  property d: X { get { E } }
+  function method G<U>(x: X): Y { E }
+  method N<U>(x: X) returns (y: Y) { S }
+}
+```
+
+## Java
+```java
+class Class<V> {
+  var _rtdV: RTD
+  var a: X
+  var _c: X
+  function method c(): X { _c }
+  function method d(): X { E }
+  function method G<U>(rtdU: RTD, x: X): Y { E }
+  method N<U>(rtdU: RTD, x: X) returns (y: Y) { S }
+}
+```
+
+## JavaScript
+
+The compilation to JavaScript uses getters for the immutable fields.
+
+The `_rtdV`, `a`, and `_c` fields are declared by virtue of being assigned in the
+constructor. In the following, they are nevertheless shown as explicit field
+declarations:
+
+```
+class Class<V> {
+  var _rtdV
+  var a
+  var _c
+  property c { get { _c } }
+  property d { get { E } }
+  function method G(rtdU, x) { E }
+  method N(rtdU, x) { S }
+}
+```
+
+## Go
+
+Go doesn't have type parameters, but the compiler nevertheless generates type
+descriptors.
+
+```go
+class Class {
+  var _rtdV: RTD
+  var a: X
+  var _c: X
+  function method c(): X { _c }
+  function method d(): X { E }
+  function method G(rtdU: RTD, x: X): Y { E }
+  method N(rtdU: RTD, x: X) returns (y: Y) { S }
+}
+```
+
+Inherited members
+-----------------
+
+Here is a trait `Parent` and two types that extend it, a trait `Trait` and a class `Class`.
+Other than both extending `Parent`, types `Trait` and `Class` are unrelated.
+The extending types inherit all members of `Parent` and override `F` and `M` to give
+them implementations.
+```dafny
+trait Parent<V> {
+  var a: X
+  const c: X
+  const d := c
+  function method F<U>(x: X): X
+  function method G<U>(x: X): X { E }
+  method M<U>(x: X) returns (y: X)
+  method N<U>(x: X) returns (y: X) { S }
+}
+
+trait Trait<V> extends Parent<W> {
+  function method F<U>(x: X): Y { E }
+  method M<U>(x: X) returns (y: Y) { S }
+}
+
+class Class<V> extends Parent<W> {
+  function method F<U>(x: X): Y { E }
+  method M<U>(x: X) returns (y: Y) { S }
+}
+```
+
+The compilation of `Trait` is as follows:
+```
+interface Trait<V> extends Parent<W> {
+}
+
+class Companion_Trait<V> {
+  static function method F<U>(rtdV: RTD, rtdU: RTD, _this: Trait<V>, x: X): Y { E }
+  static method N<U>(rtdV: RTD, rtdU: RTD, _this: Trait<V>, x: X) returns (y: Y) { S }
+}
+```
+
+The extending trait simply indicates its relationship to `Parent`. The overriding
+member implementations are placed in the companion class, where the type of their receiver
+is `Trait<V>` and where the type-descriptor parameters correspond to the type parameters of
+`Trait` (not `Parent`) and the member itself.
+
+The compilation of `Class` is as follows:
+```
+class Class<V> extends Trait<W> {
+  var _rtdV: RTD
+
+  var _a: X
+  function method a(): X { _a }
+  method set_a(value: X) { _a := value; }
+
+  var _c: X
+  function method c(): X { _c }
+
+  function method d(): X {
+    Companion_Parent<W>.d(W(_rtdV), this)
+  }
+
+  function method F<U>(rtdU: RTD, x: X): Y { E }
+
+  function method G<U>(rtdU: RTD, x: X): Y {
+    Companion_Parent<W>.G(W(_rtdV), rtdU, this, x)
+  }
+
+  method M<U>(x: X) returns (y: X) { S }
+
+  method N<U>(rtdU: RTD, x: X) returns (y: Y) {
+    y := Companion_Parent<W>.N(W(_rtdV), rtdU, this, x);
+  }
+}
+```
+
+As shown in a section above, the class adds a field to hold the type descriptor for `V`.
+
+The extending class provides a backing store for the inherited mutable field and immutable
+field without a RHS. Using these, it then implements the target-language inherited getters
+and setters.
+
+It implements the inherited getter for `d`, whose implementation calls the implementation
+given in the companion class for `Parent`. The notation `W(_rtdV)` stands for the type
+descriptor for `W` that uses `_rtdV` as the type descriptor for `V`.
+
+The overridden members `F` and `M` are straightforwardly declared in the class.
+
+The implementation of the inherited members `G` and `N` are given as calls to the
+respective implementations in the companion class for `Parent`.
+
+## C#
+
+The compilation to C# uses property getters and setters for `a` and `c`.
+
+## Java
+
+Note: Evidently, the compiler emits a setter for `c`. It would be nice if it can be removed.
+
+## JavaScript
+
+As described above, but with no type parameters.
+
+## Go
+
+When a class or trait extends another trait `Parent` in Dafny, it instantiates the
+type parameters of `Parent`. Consequently, any members inherited from `Parent` have
+different type signatures than in `Parent`. This works the same way in C# and Java,
+so the Dafny type signatures of overriding members get the new types. Since type
+signatures are never declared in JavaScript, so this is a moot point there. In Go,
+however, the lack of type parameters means that any inherited members retain their
+original signatures (except for the receiver parameter).
+
+To let the overriding body use the Dafny types, compilation to Go adds new local
+variables corresponding to the formal parameters of the member. The local variables
+have the instantiated types. Those corresponding to in-parameters are initialized
+by a downcast of the given in-parameters. Dually, an upcast is performed at
+return points.
+
+In the following, `X` and `Y` refer to the types used in `Parent`, whereas `WX`
+and `WY` refer to those types with `Parent`'s type parameter `V` replaced by
+the type `W`. The Dafny-like `as` notation shows upcasts and downcasts.
+
+```
+class Class extends Trait {
+  var _rtdV: RTD
+
+  var _a: WX
+  function method a(): X { _a as X }
+  method set_a(value: X) { _a := value as WX; }
+
+  var _c: WX
+  function method c(): X { _c as X }
+
+  function method d(): X {
+    Companion_Parent.d(W(_rtdV), this) as X
+  }
+
+  function method F(rtdU: RTD, x: X): Y {
+    var x: WX := x;
+    E as Y
+  }
+
+  function method G(rtdU: RTD, x: X): Y {
+    Companion_Parent.G(W(_rtdV), rtdU, this, x as WX) as WY
+  }
+
+  method M(x: X) returns (y: Y) {
+    {
+      var x: WX := x;
+      var y: WY;
+      S
+      return y as Y;
+    }
+  }
+
+  method N(rtdU: RTD, x: X) returns (y: Y) {
+    var y: WY := Companion_Parent.N(W(_rtdV), rtdU, this, x as WY);
+    return y as Y;
+  }
+}
+```
+
+There is no need to say `extends Trait` in Go, because trait membership is not nominal.
+Nevertheless, the compiler generates some code that will cause the Go compiler to
+verify `Class extends Trait` at compile time.
+
+Note: Previously, traits were represented using a mix of a "struct" and an "interface" in Go.
+In that design, the "struct" portion was embedded into the class, which allowed fields
+to be inherited using Go's embedding. On the downside, this required each Dafny
+object to be represented as a collection of Go objects, with mutual pointers between them
+This required the compiler to insert upcasts, which became difficult to maintain in the
+implementation. Moreover, the design was problematic for checking equality and became
+impractical in the presence of type variance. For example, consider using a `seq<Class>` as
+a `seq<Parent>`. One possibility is to copy the entire sequence, performing an upcast for
+each element. This would have a large cost at run time. A more tantalizing possibility is
+to always use the "main" pointer to an object when storing it in the sequence. Then, the
+conversion from a `seq<Class>` to a `seq<Parent>` is a no-op. However, consider some
+other `seq<Parent>` whose element include instances from a variety of classes that extend
+`Parent`. Go obtain an element of that sequence as a `Parent` would require casting the
+"main" object, whose type is unknown, to its `Parent` component. It would be possible to
+do this if the "interface" definition of the object had a function to return the `Parent`
+portion. So, rather than keeping this web of pointers among the various portions of the
+object, this design was abandoned in favor of what is done for the other target languages,
+where instead of a "struct" portion of a trait, the trait "interface" is used for everything
+and include getters/setters for fields.
+
+Constructors
+------------
+
+A class constructor is responsible for initializing all fields of the object. This includes
+the fields declared in the class as well as the _set_ of fields inherited from ancestor
+traits. Note that even if a trait is an ancestor in more than one way, there is only one
+copy of its fields. (Dafny restricts programs so that every occurrences of the same ancestor
+trait is given the same type parameters.)
+
+Target languages provide various constructor mechanisms of their own. Dafny compilation
+uses those only to the extent required by the target language. Each Dafny constructor
+is compiled into a target-language method that performs the bulk of the work.
+
+Consider the following declarations of a class and its ancestor traits:
+```dafny
+trait A<V> {
+  var a: X
+  const c: X
+}
+
+trait B<V> extends A<W> {
+}
+
+trait C<V> extends A<W> {
+}
+
+class Class<V> extends B<W>, C<W> {
+  var k: X
+
+  constructor Init(x: X) {
+    a := x;
+    c := x;
+  }
+}
+```
+
+The class as follows, where the target-language constructor is indicated with the
+keyword `constructor` and the bulk of the work is done in a method:
+
+```
+class Class<V> extends A<W>, B<W>, C<W> {
+  var _rtdV: RTD
+
+  var _a: X
+  function method a(): X { _a }
+  method set_a(value: X) { _a := value; }
+
+  var _c: X
+  function method c(): X { _c }
+
+  var k: X
+
+  constructor (rtdV: RTD) {
+    _rtdV := rtdV;
+    _a := 0;
+    _c := 0;
+    k := 0;
+  }
+
+  method Init(x: X) {
+    _a := x;
+    _c := x;
+    k := x;
+  }
+}
+```
+
+The target constructor assigns some initial values to `_a` and `_c` (to cover the
+case where these are not assigned explicitly in the Dafny constructor). The RHS `0`
+in these assignments is meant to be suggestive of an appropriate default value of
+the appropriate type.
+
+Note: It would be better to move the initial assignments of the fields into the
+initialization method, because then the program could be analyzed to determine whether
+or not those assignment are needed at all.
+
+## C#
+
+The compilation follows the general case, except for three things. First, type
+descriptors are not used for C#. Second, the setters and getters make use of C#
+properties. Third, the initial assignments to the fields are done as part of the
+field declarations.
+
+```
+class Class<V> extends A<W>, B<W>, C<W> {
+  var _a: X := 0
+  property a: X {
+    get { _a }
+    set(value: X) { _a := value; }
+  }
+
+  var _c: X := 0
+  property c: X {
+    get { _c }
+  }
+
+  var k: X := 0
+
+  constructor () { }
+
+  method Init(x: X) {
+    _a := x;
+    _c := x;
+    k := x;
+  }
+}
+```
+
+## Java
+```java
+class Class<V> extends A<W>, B<W>, C<W> {
+  var _rtdV: RTD
+
+  var _a: X
+  function method a(): X { _a }
+  method set_a(value: X) { _a := value; }
+
+  var _c: X
+  function method c(): X { _c }
+  method set_c(value: X) { _c := value; }
+
+  var k: X
+
+  constructor (rtdV: RTD) {
+    _rtdV := rtdV;
+    _a := 0;
+    _c := 0;
+    k := 0;
+  }
+
+  method Init(x: X) {
+    _a := x;
+    _c := x;
+    k := x;
+  }
+}
+```
+
+Note: Evidently, the Java target always uses setters when assigning to fields.
+
+## JavaScript
+
+Compilation to JavaScript follows the general form, except that there are no type
+parameters and no need for `extends` clauses.
+
+## Go
+
+The compilation follows the general form, but without type parameters and no need
+for `extends` clauses.
diff --git a/v4.10.0/Compilation/StringsAndChars.md b/v4.10.0/Compilation/StringsAndChars.md
new file mode 100644
index 0000000..30b671f
--- /dev/null
+++ b/v4.10.0/Compilation/StringsAndChars.md
@@ -0,0 +1,143 @@
+---
+title: Strings and Characters
+---
+
+# Strings and Characters
+
+This document describes how the built-in Dafny types `string` and `char`
+are compiled to the various supported target languages.
+
+The `string` type is just an alias for `seq<char>`, so most of the interesting
+decisions center around to represent the `char` type faithfully in each
+target languages. Historically, the `char` type has acted much like the
+following newtype declaration:
+
+```dafny
+newtype char = c: int | 0 <= c < 65536
+```
+
+That is, `char` really meant "UTF-16 code unit". Since Dafny `string`
+values can contain invalid use of surrogates, and since this is suboptimal
+for interoperating with other encodings such as UTF-8, the `--unicode-char`
+option was added to enable defining `char` to mean "Unicode scalar value"
+instead. This is equivalent to the following newtype declaration instead:
+
+```dafny
+newtype char = c: int | 0 <= c < 0xD800 || 0xE000 <= c < 0x11_0000
+```
+
+The selection of target language type for `char` is chosen primarily to
+ensure enough bits to efficiently store and work with these ranges of values,
+but also secondarily to align with the idiomatic character type where possible,
+and to support outputting the expected representation when passing characters
+and strings to the `print` statement.
+
+| Language      | --unicode-char=false           | --unicode-char=true                            |
+| ------------- | ------------------------------ | ---------------------------------------------- |
+| C#            | `char`                         | `Dafny.Rune`                             |
+| Java          | `char`                         | `int` / `dafny.CodePoint`                      |
+| JavaScript    | `string` of length 1           | `_dafny.CodePoint` (`number` wrapper)          |
+| Python        | `str` of length 1              | `_dafny.CodePoint` (`str` of length 1 wrapper) |
+| Go            | `_dafny.Char` (`rune` wrapper) | `_dafny.CodePoint` (`rune` wrapper)            |
+| C++           | `char`                         | (not supported)                                |
+
+The various runtimes for each language support both use cases,
+without any need for conditional compilation or multiple packages.
+Instead some utility functions have two different implementations with similar
+names but different signatures, and the corresponding compilers select
+which function to reference based on the value of `--unicode-char`.
+For example, most runtimes have a function named something like `SeqFromString`,
+for converting from the native string type to the appropriate type for the Dafny
+runtime if `--unicode-char=false`, but also a version named something like
+`UnicodeSeqFromString` for the `--unicode-char=true` case. Both accept the
+same input type, but the former will return something like a `Seq<Character>`
+whereas the latter will return something like a `Seq<CodePoint>`.
+
+Here are some notes to explain and justify the choices in each language
+when `--unicode-char=true`:
+
+## C#
+
+The `Dafny.Rune` struct is a wrapper around an `int` value,
+and its API guarantees that invalid values (e.g. surrogates) will be rejected on construction.
+Because C# optimizes this special case of a struct with a single value,
+using this in place of a direct `int` value when `--unicode-char` is enabled
+does not have any runtime overhead.
+We would use the standard `System.Text.Rune` struct instead,
+but the `DafnyRuntime` package is built for older .NET framework versions
+that don't include this type.
+
+## Java
+
+Java does not include a dedicated type for Unicode scalar values
+and instead uses the 32-bit wide `int` primitive type in general.
+The Java backend uses `int` whenever the static type of a value is known,
+but boxing of some kind is necessary to cast a primitive `int` value
+as a reference value when interfacing with generic code.
+
+The solution is to define our own `CodePoint` boxing type that wraps an `int`
+just as `Integer` does, but knows the true intended type more precisely
+and overrides `toString()` accordingly. We also define a `TypeDescriptor`
+for `UNICODE_CHAR` that uses `int` as the primitive,
+unboxed type but `CodePoint` as the boxing type,
+and this enables using the optimized `dafny.Array` class to store a
+sequence of code points in an `int[]` instead of in a `CodePoint[]`.
+
+## JavaScript / Python / Go
+
+In all three of these runtimes, the `_dafny.CodePoint` type is a wrapper
+around a reasonable built-in type for code points.
+Note that in Go, the underlying `rune` type allows surrogate values,
+and hence can be used whether `--unicode-char` is enabled or not.
+
+## C++
+
+The C++ `char` type is unfortunately only 8 bits wide, and hence
+is not an adequate choice for arbitrary UTF-16 code units.
+Addressing this and supporting the 21-bit range of Unicode scalar values
+is deferred for now, as it will require pulling in additional libraries
+to support printing to standard out in order to implement the `print` statement.
+
+# Printing strings and characters
+
+Although `string` is treated as a pure type alias within the core semantics
+of Dafny, it is highly beneficial to `print` a string value as `Hello`
+rather than `['H', 'e', 'l', 'l', 'o']`. With `--unicode-char=false`,
+the various runtimes make best effort attempts
+to identify which sequence values contain character values and hence should be
+printed as strings. This means this behavior depends on how easy it is
+to track this type information at runtime, and hence is not consistent
+between backends.
+
+With `--unicode-char=true`, however, this is simplified
+and consistent across backends: a value is only printed as a string if
+its static type is known to be `seq<char>`. This means that when using some
+more generic datatypes, string values will be printed as sequence values:
+printing an `Option<string>` value for example.
+
+This is generally implemented by including a function named something similar
+to `ToVerbatimString` on the sequence type in each runtime. This is only
+invoked in generated code when the sequence is known to be a `seq<char>`,
+and hence the runtimes are free to cast as needed to treat the values as
+strings.
+
+`--unicode-char` also changes how character values are printed by the
+`print` statement: `'D'` will print as `D` when `--unicode-char=false`.
+but `'D'` when `--unicode-char=true`.
+
+
+# String and character literals
+
+The simplest way to compile literals would be to materialize them as
+equivalent sequence displays of code point values, un-escaping escape sequences
+as needed. In other words, compiling a Dafny `"Hello"` string literal
+to something like `Seq(72, 101, 108, 108, 111)`.
+This would be a substantial hit to the readability of the compiled code,
+however, making it harder for Dafny users and contributors to debug issues:
+string literals are often helpful landmarks for orienting oneself
+when trying to understand the compiled code. Therefore,
+character and string literals are still translated to literals in the target
+language where possible.
+The `Util.MightContainNonAsciiCharacters` method is used to conservatively
+identify string and character literals that should use the more general
+approach using raw code point values instead.
diff --git a/v4.10.0/Dafny-cheat-sheet.pdf b/v4.10.0/Dafny-cheat-sheet.pdf
new file mode 100644
index 0000000..a11c0a8
Binary files /dev/null and b/v4.10.0/Dafny-cheat-sheet.pdf differ
diff --git a/v4.10.0/DafnyCheatsheet.docx b/v4.10.0/DafnyCheatsheet.docx
new file mode 100644
index 0000000..366e7b4
Binary files /dev/null and b/v4.10.0/DafnyCheatsheet.docx differ
diff --git a/v4.10.0/DafnyCheatsheet.pdf b/v4.10.0/DafnyCheatsheet.pdf
new file mode 100644
index 0000000..05cb916
Binary files /dev/null and b/v4.10.0/DafnyCheatsheet.pdf differ
diff --git a/v4.10.0/DafnyRef/.gitignore b/v4.10.0/DafnyRef/.gitignore
new file mode 100644
index 0000000..6510227
--- /dev/null
+++ b/v4.10.0/DafnyRef/.gitignore
@@ -0,0 +1,4 @@
+DafnyRefZ.md
+DafnyRef.pdf
+*.tex
+*.class
diff --git a/v4.10.0/DafnyRef/Attributes.1.expect b/v4.10.0/DafnyRef/Attributes.1.expect
new file mode 100644
index 0000000..b7ceee8
--- /dev/null
+++ b/v4.10.0/DafnyRef/Attributes.1.expect
@@ -0,0 +1,2 @@
+text.dfy(2,29): Error: Dafny's heuristics failed to confirm 'byte' to be a compatible native type. Hint: try writing a newtype constraint of the form 'i: int | lowerBound <= i < upperBound && (...any additional constraints...)'.
+1 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Attributes.3.expect b/v4.10.0/DafnyRef/Attributes.3.expect
new file mode 100644
index 0000000..eca60fd
--- /dev/null
+++ b/v4.10.0/DafnyRef/Attributes.3.expect
@@ -0,0 +1,3 @@
+text.dfy(25,6): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Attributes.4.expect b/v4.10.0/DafnyRef/Attributes.4.expect
new file mode 100644
index 0000000..6abe439
--- /dev/null
+++ b/v4.10.0/DafnyRef/Attributes.4.expect
@@ -0,0 +1,3 @@
+text.dfy(1,23): Error: Verification out of resource (f)
+
+Dafny program verifier finished with 0 verified, 0 errors, 1 out of resource
diff --git a/v4.10.0/DafnyRef/Attributes.md b/v4.10.0/DafnyRef/Attributes.md
new file mode 100644
index 0000000..3c25e23
--- /dev/null
+++ b/v4.10.0/DafnyRef/Attributes.md
@@ -0,0 +1,1072 @@
+# 11. Attributes {#sec-attributes}
+
+Dafny allows many of its entities to be annotated with _Attributes_.
+Attributes are declared between `{:` and `}` like this:
+<!-- %no-check -->
+```dafny
+{:attributeName "argument", "second" + "argument", 57}
+```
+(White-space may follow but not precede the `:` in `{:`.)
+
+In general an attribute may have any name the user chooses. It may be
+followed by a comma-separated list of expressions. These expressions will
+be resolved and type-checked in the context where the attribute appears.
+
+Any Dafny entity may have a list of attributes.
+Dafny does not check that the attributes listed for an entity
+are appropriate for it (which means that misspellings may
+go silently unnoticed).
+
+The grammar shows where the attribute annotations may appear:
+````grammar
+Attribute = "{:" AttributeName [ Expressions ] "}"
+````
+
+Dafny has special processing for some attributes[^boogie-attributes].  Of those,
+some apply only to the entity bearing the attribute, while others (inherited
+attributes) apply to the entity and its descendants (such as nested modules,
+types, or declarations).  The attribute declaration closest to the entity
+overrides those further away.
+
+[^boogie-attributes]: All entities that Dafny translates to Boogie have their attributes passed on to Boogie except for the [`{:axiom}`](#sec-axiom) attribute (which conflicts with Boogie usage) and the [`{:trigger}`](#sec-trigger) attribute which is instead converted into a Boogie quantifier _trigger_. See Section 11 of [@Leino:Boogie2-RefMan].
+
+For attributes with a single boolean expression argument, the attribute
+with no argument is interpreted as if it were true.
+
+## 11.1. Attributes on top-level declarations
+
+### 11.1.1. `{:autocontracts}` {#sec-attributes-autocontracts}
+Dynamic frames [@Kassios:FM2006;@SmansEtAl:VeriCool;@SmansEtAl:ImplicitDynamicFrames;
+@LEINO:Dafny:DynamicFrames]
+are frame expressions that can vary dynamically during
+program execution. AutoContracts is an experimental feature that will
+fill much of the dynamic-frames boilerplate into a class.
+
+From the user's perspective, what needs to be done is simply:
+
+* mark the class with `{:autocontracts}`
+* declare a function (or predicate) called `Valid()`
+
+
+AutoContracts will then:
+
+*  Declare:
+<!-- %no-check -->
+```dafny
+   ghost var Repr: set<object>
+```
+
+* For function/predicate `Valid()`, insert:
+<!-- %no-check -->
+```dafny
+   reads this, Repr
+```
+* Into body of `Valid()`, insert (at the beginning of the body):
+<!-- %no-check -->
+```dafny
+   this in Repr && null !in Repr
+```
+* and also insert, for every array-valued field `A` declared in the class:
+<!-- %no-check -->
+```dafny
+   && (A != null ==> A in Repr)
+```
+* and for every field `F` of a class type `T` where `T` has a field called `Repr`, also insert:
+<!-- %no-check -->
+```dafny
+   (F != null ==> F in Repr && F.Repr <= Repr && this !in F.Repr)
+```
+  Except, if A or F is declared with `{:autocontracts false}`, then the implication will not
+be added.
+
+* For every constructor, add:
+<!-- %no-check -->
+```dafny
+   modifies this
+   ensures Valid() && fresh(Repr - {this})
+```
+* At the end of the body of the constructor, add:
+<!-- %no-check -->
+```dafny
+   Repr := {this};
+   if (A != null) { Repr := Repr + {A}; }
+   if (F != null) { Repr := Repr + {F} + F.Repr; }
+```
+* For every method, add:
+<!-- %no-check -->
+```dafny
+   requires Valid()
+   modifies Repr
+   ensures Valid() && fresh(Repr - old(Repr))
+```
+* At the end of the body of the method, add:
+<!-- %no-check -->
+```dafny
+   if (A != null) { Repr := Repr + {A}; }
+   if (F != null) { Repr := Repr + {F} + F.Repr; }
+```
+
+### 11.1.2. `{:nativeType}` {#sec-nativetype}
+The `{:nativeType}` attribute is only recognized by a `newtype` declaration
+where the base type is an integral type or a real type. For example:
+
+<!-- %check-resolve Attributes.1.expect -->
+```dafny
+newtype {:nativeType "byte"} ubyte = x : int | 0 <= x < 256
+newtype {:nativeType "byte"} bad_ubyte = x : int | 0 <= x < 257 // Fails
+```
+
+It can take one of the following forms:
+
+* `{:nativeType}` - With no parameters it has no effect and the declaration
+will have its default behavior, which is to choose a native type that can hold any
+value satisfying the constraints, if possible, and otherwise to use BigInteger.
+* `{:nativeType true}` - Also gives default behavior,
+but gives an error if the base type is not integral.
+* `{:nativeType false}` - Inhibits using a native type. BigInteger is used.
+* `{:nativeType "typename"}` - This form has an native integral
+type name as a string literal. Acceptable values are:
+   * `"byte"`      8 bits, unsigned
+   * `"sbyte"`     8 bits, signed
+   * `"ushort"`    16 bits, unsigned
+   * `"short"`     16 bits, signed
+   * `"uint"`      32 bits, unsigned
+   * `"int"`       32 bits, signed
+   * `"number"`    53 bits, signed
+   * `"ulong"`     64 bits, unsigned
+   * `"long"`      64 bits, signed
+
+  If the target compiler
+  does not support a named native type X, then an error is generated. Also, if, after
+  scrutinizing the constraint predicate, the compiler cannot confirm
+  that the type's values will fit in X, an error is generated.
+  The names given above do not have to match the names in the target compilation language,
+  just the characteristics of that type.
+
+### 11.1.3. `{:ignore}` (deprecated)
+Ignore the declaration (after checking for duplicate names).
+
+### 11.1.4. `{:extern}` {#sec-extern}
+
+`{:extern}` is a target-language dependent modifier used
+
+* to alter the `CompileName` of entities such as modules, classes, methods, etc.,
+* to alter the `ReferenceName` of the entities,
+* to decide how to define external abstract types,
+* to decide whether to emit target code or not, and
+* to decide whether a declaration is allowed not to have a body.
+
+The `CompileName` is the name for the entity when translating to one of the target languages.
+The `ReferenceName` is the name used to refer to the entity in the target language.
+A common use case of `{:extern}` is to avoid name clashes with existing library functions.
+
+`{:extern}` takes 0, 1, or 2 (possibly empty) string arguments:
+
+- `{:extern}`: Dafny will use the Dafny-determined name as the `CompileName` and not affect the `ReferenceName`
+- `{:extern s1}`: Dafny will use `s1` as the `CompileName`, and replaces the last portion of the `ReferenceName` by `s1`.
+     When used on an abstract type, s1 is used as a hint as to how to declare that type when compiling.
+- `{:extern s1, s2}` Dafny will use `s2` as the `CompileName`.
+     Dafny will use a combination of `s1` and `s2` such as for example `s1.s2` as the `ReferenceName`
+     It may also be the case that one of the arguments is simply ignored.
+
+Dafny does not perform sanity checks on the arguments---it is the user's responsibility not to generate
+  malformed target code.
+
+For more detail on the use of `{:extern}`, see the corresponding [section](#sec-extern-decls) in the user's guide.
+
+### 11.1.5. `{:disableNonlinearArithmetic}` {#sec-disable-nonlinear-arithmetic}
+This attribute only applies to module declarations. It overrides the global option `--disable-nonlinear-arithmetic` for that specific module. The attribute can be given true or false to disable or enable nonlinear arithmetic. When no value is given, the default value is true.
+
+## 11.2. Attributes on functions and methods
+
+### 11.2.1. `{:abstemious}`
+The `{:abstemious}` attribute is appropriate for functions on codatatypes.
+If appropriate to a function, the attribute can aid in proofs that the function is _productive_.
+See [the section on abstemious functions](#sec-abstemious) for more description.
+
+### 11.2.2. `{:autoReq}`
+For a function declaration, if this attribute is set true at the nearest
+level, then its `requires` clause is strengthened sufficiently so that
+it may call the functions that it calls.
+
+For following example
+<!-- %check-verify -->
+```dafny
+function f(x:int) : bool
+  requires x > 3
+{
+  x > 7
+}
+
+// Should succeed thanks to auto_reqs
+function {:autoReq} g(y:int, b:bool) : bool
+{
+  if b then f(y + 2) else f(2*y)
+}
+```
+the `{:autoReq}` attribute causes Dafny to
+deduce a `requires` clause for g as if it had been
+declared
+<!-- %check-verify -->
+```dafny
+function f(x:int) : bool
+  requires x > 3
+{
+  x > 7
+}
+function g(y:int, b:bool) : bool
+  requires if b then y + 2 > 3 else 2 * y > 3
+{
+  if b then f(y + 2) else f(2*y)
+}
+```
+
+### 11.2.3. `{:autoRevealDependencies k}` {#sec-autorevealdependencies}
+When setting `--default-function-opacity` to `autoRevealDependencies`, the `{:autoRevealDependencies k}` attribute can be set on methods and functions to make sure that only function dependencies of depth `k` in the call-graph or less are revealed automatically. As special cases, one can also use `{:autoRevealDependencies false}` (or `{:autoRevealDependencies 0}`) to make sure that no dependencies are revealed, and `{:autoRevealDependencies true}` to make sure that all dependencies are revealed automatically.
+
+For example, when the following code is run with `--default-function-opacity` set to `autoRevealDependencies`, the function `p()` should verify and `q()` should not.
+<!-- %no-check -->
+```dafny
+   function t1() : bool { true }
+   
+   function t2() : bool { t1() }
+
+   function {:autoRevealDependencies 1} p() : (r: bool) 
+     ensures r
+   { t1() }
+   
+   function {:autoRevealDependencies 1} q() : (r: bool) 
+     ensures r
+   { t2() }
+```
+
+### 11.2.4. `{:axiom}` {#sec-axiom}
+The `{:axiom}` attribute may be placed on a function or method.
+It means that the post-condition may be assumed to be true
+without proof. In that case also the body of the function or
+method may be omitted.
+
+The `{:axiom}` attribute only prevents Dafny from verifying that the body matches the post-condition.
+Dafny still verifies the [well-formedness](#sec-assertion-batches) of pre-conditions, of post-conditions, and of the body if provided.
+To prevent Dafny from running all these checks, one would use [`{:verify false}`](#sec-verify), which is not recommended.
+
+The compiler will still emit code for an [`{:axiom}`](#sec-axiom), if it is a [`function`, a `method` or a `function by method`](#sec-function-declarations) with a body.
+
+### 11.2.5. `{:compile}`
+The `{:compile}` attribute takes a boolean argument. It may be applied to
+any top-level declaration. If that argument is false, then that declaration
+will not be compiled at all.
+The difference with [`{:extern}`](#sec-extern) is that [`{:extern}`](#sec-extern)
+will still emit declaration code if necessary,
+whereas `{:compile false}` will just ignore the declaration for compilation purposes.
+
+### 11.2.6. `{:concurrent}`  {#sec-concurrent-attribute}
+The `{:concurrent}` attribute indicates that the compiled code for a function or method
+may be executed concurrently.
+While Dafny is a sequential language and does not support any native concepts for spawning
+or controlling concurrent execution,
+it does support restricting the specification of declarations such that it is safe to execute them concurrently
+using integration with the target language environment.
+
+Currently, the only way to satisfy this requirement is to ensure that the specification
+of the function or method includes the equivalent of `reads {}` and `modifies {}`.
+This ensures that the code does not read or write any shared mutable state,
+although it is free to read and write newly allocated objects.
+
+### 11.2.7. `{:extern <name>}` {#sec-extern-method}
+See [`{:extern <name>}`](#sec-extern).
+
+### 11.2.8. `{:fuel X}` {#sec-fuel}
+
+The fuel attribute is used to specify how much "fuel" a function should have,
+i.e., how many times the verifier is permitted to unfold its definition.  The
+`{:fuel}` annotation can be added to the function itself, in which
+case it will apply to all uses of that function, or it can be overridden
+within the scope of a module, function, method, iterator, calc, forall,
+while, assert, or assume.  The general format is:
+
+<!-- %no-check -->
+```dafny
+{:fuel functionName,lowFuel,highFuel}
+```
+
+When applied as an annotation to the function itself, omit
+functionName.  If highFuel is omitted, it defaults to lowFuel + 1.
+
+The default fuel setting for recursive functions is 1,2.  Setting the
+fuel higher, say, to 3,4, will give more unfoldings, which may make
+some proofs go through with less programmer assistance (e.g., with
+fewer assert statements), but it may also increase verification time,
+so use it with care.  Setting the fuel to 0,0 is similar to making the
+definition opaque, except when used with all literal arguments.
+
+### 11.2.9. `{:id <string>}`
+Assign a custom unique ID to a function or a method to be used for verification
+result caching.
+
+### 11.2.10. `{:induction}` {#sec-induction}
+The `{:induction}` attribute controls the application of
+proof by induction to two contexts. Given a list of
+variables on which induction might be applied, the
+`{:induction}` attribute selects a sub-list of those
+variables (in the same order) to which to apply induction.
+
+Dafny issue [34](https://github.com/Microsoft/dafny/issues/34)
+proposes to remove the restriction that the sub-list
+be in the same order, and would apply induction in the
+order given in the `{:induction}` attribute.
+
+The two contexts are:
+
+* A method, in which case the bound variables are all the
+  in-parameters of the method.
+* A [quantifier expression](#sec-induction-quantifier), in which case the bound variables
+  are the bound variables of the quantifier expression.
+
+The form of the `{:induction}` attribute is one of the following:
+
+* `{:induction}` or `{:induction true}` -- apply induction to all bound variables
+* `{:induction false}` -- suppress induction, that is, don't apply it to any bound variable
+* `{:induction L}` where `L` is a sublist of the bound variables
+-- apply induction to the specified bound variables
+* `{:induction X}` where `X` is anything else -- raise an error.
+
+Here is an example of using it on a quantifier expression:
+<!-- %check-verify -->
+```dafny
+datatype Unary = Zero | Succ(Unary)
+
+function UnaryToNat(n: Unary): nat {
+  match n
+  case Zero => 0
+  case Succ(p) => 1 + UnaryToNat(p)
+}
+
+function NatToUnary(n: nat): Unary {
+  if n == 0 then Zero else Succ(NatToUnary(n - 1))
+}
+
+lemma Correspondence()
+  ensures forall n: nat {:induction n} :: UnaryToNat(NatToUnary(n)) == n
+{
+}
+```
+
+
+### 11.2.11. `{:inductionTrigger}` {#sec-induction-trigger}
+
+Dafny automatically generates triggers for quantified induction hypotheses.  The default selection can be overridden using the `{:inductionTrigger}` attribute, which works like the usual [`{:trigger}` attribute](#sec-trigger).
+
+### 11.2.12. `{:only}` {#sec-only-functions-methods}
+
+`method {:only} X() {}` or `function {:only} X() {}`  temporarily disables the verification of all other non-`{:only}` members, e.g. other functions and methods, in the same file, even if they contain [assertions with `{:only}`](#sec-only).
+
+<!-- %no-check -->
+```dafny
+method {:only} TestVerified() {
+  assert true;                  // Unchecked
+  assert {:only} true by {      // Checked
+    assert true;                // Checked
+  }
+  assert true;                  // Unchecked
+}
+
+method TestUnverified() {
+  assert true;                  // Unchecked
+  assert {:only} true by {      // Unchecked because of {:only} Test()
+    assert true;                // Unchecked
+  }
+  assert true;                  // Unchecked
+}
+```
+
+`{:only}` can help focusing on a particular member, for example a lemma or a function, as it simply disables the verification of all other lemmas, methods and functions in the same file. It's equivalent to adding [`{:verify false}`](#sec-verify) to all other declarations simulatenously on the same file. Since it's meant to be a temporary construct, it always emits a warning.
+
+More information about the Boogie implementation of `{:opaque}` is [here](https://github.com/dafny-lang/dafny/blob/master/docs/Compilation/Boogie.md).
+
+### 11.2.13. `{:print}` {#sec-print}
+This attribute declares that a method may have print effects,
+that is, it may use `print` statements and may call other methods
+that have print effects. The attribute can be applied to compiled
+methods, constructors, and iterators, and it gives an error if
+applied to functions or ghost methods. An overriding method is
+allowed to use a `{:print}` attribute only if the overridden method
+does.
+Print effects are enforced only with `--track-print-effects`.
+
+### 11.2.14. `{:priority}`
+`{:priority N}` assigns a positive priority 'N' to a method or function to control the order
+in which methods or functions are verified (default: N = 1).
+
+### 11.2.15. `{:resource_limit}` and `{:rlimit}` {#sec-rlimit}
+
+`{:resource_limit N}` limits the verifier resource usage to verify the method or function to `N`.
+
+This is the per-method equivalent of the command-line flag `/rlimit:N` or `--resource-limit N`.
+If using [`{:isolate_assertions}`](#sec-isolate_assertions) as well, the limit will be set for each assertion.
+
+The attribute `{:rlimit N}` is also available, and limits the verifier resource usage to verify the method or function to `N * 1000`. This version is deprecated, however.
+
+To give orders of magnitude about resource usage, here is a list of examples indicating how many resources are used to verify each method:
+
+* 8K resource usage
+<!-- %check-verify -->
+  ```dafny
+  method f() {
+    assert true;
+  }
+  ```
+* 10K resource usage using assertions that do not add assumptions:
+<!-- %check-verify -->
+  ```dafny
+  method f(a: bool, b: bool) {
+    assert a: (a ==> b) <==> (!b ==> !a);
+    assert b: (a ==> b) <==> (!b ==> !a);
+    assert c: (a ==> b) <==> (!b ==> !a);
+    assert d: (a ==> b) <==> (!b ==> !a);
+  }
+  ```
+
+* 40K total resource usage using [`{:isolate_assertions}`](#sec-isolate_assertions)
+<!-- %check-verify -->
+  ```dafny
+  method {:isolate_assertions} f(a: bool, b: bool) {
+    assert a: (a ==> b) <==> (!b ==> !a);
+    assert b: (a ==> b) <==> (!b ==> !a);
+    assert c: (a ==> b) <==> (!b ==> !a);
+    assert d: (a ==> b) <==> (!b ==> !a);
+  }
+  ```
+*  37K total resource usage and thus fails with `out of resource`.
+<!-- %check-verify Attributes.4.expect -->
+   ```dafny
+   method {:rlimit 30} f(a: int, b: int, c: int) {
+     assert ((1 + a*a)*c) / (1 + a*a) == c;
+   }
+   ```
+
+Note that, the default solver Z3 tends to overshoot by `7K` to `8K`, so if you put `{:rlimit 20}` in the last example, the total resource usage would be `27K`.
+
+### 11.2.16. `{:selective_checking}`
+Turn all assertions into assumptions except for the ones reachable from after the
+assertions marked with the attribute `{:start_checking_here}`.
+Thus, `assume {:start_checking_here} something;` becomes an inverse
+of `assume false;`: the first one disables all verification before
+it, and the second one disables all verification after.
+
+### 11.2.17. `{:tailrecursion}`
+This attribute is used on method or function declarations. It has a boolean argument.
+
+If specified with a `false` value, it means the user specifically
+requested no tail recursion, so none is done.
+
+If specified with a `true` value, or if no argument is specified,
+then tail recursive optimization will be attempted subject to
+the following conditions:
+
+* It is an error if the method is a ghost method and tail
+recursion was explicitly requested.
+* Only direct recursion is supported, not mutually recursive methods.
+* If `{:tailrecursion true}` was specified but the code does not allow it,
+an error message is given.
+
+If you have a stack overflow, it might be that you have
+a function on which automatic attempts of tail recursion
+failed, but for which efficient iteration can be implemented by hand. To do this,
+use a [function by method](#sec-function-by-method) and
+define the loop in the method yourself,
+proving that it implements the function.
+
+Using a function by method to implement recursion can
+be tricky. It usually helps to look at the result of the function
+on two to three iterations, without simplification,
+and see what should be the first computation. For example,
+consider the following tail-recursion implementation:
+
+<!-- %check-verify -->
+```dafny
+datatype Result<V,E> = Success(value: V) | Failure(error: E)
+
+function f(x: int): Result<int, string>
+
+//  {:tailrecursion true}  Not possible here
+function MakeTailRec(
+  obj: seq<int>
+): Result<seq<int>, string>
+{
+  if |obj| == 0 then Success([])
+  else
+    var tail := MakeTailRec(obj[1..]);
+    var r := f(obj[0]);
+    if r.Failure? then
+      Failure(r.error)
+    else if tail.Failure? then
+      tail
+    else
+      Success([r.value] + tail.value)
+} by method {
+  var i: nat := |obj|;
+  var tail := Success([]); // Base case
+  while i != 0
+    decreases i
+    invariant tail == MakeTailRec(obj[i..])
+  {
+    i := i - 1;
+    var r := f(obj[i]);
+    if r.Failure? {
+      tail := Failure(r.error);
+    } else if tail.Success? {
+      tail := Success([r.value] + tail.value);
+    } else {
+    }
+  }
+  return tail;
+}
+```
+
+The rule of thumb to unroll a recursive call into a sequential one
+is to look at how the result would be computed if the operations were not
+simplified. For example, unrolling the function on `[1, 2, 3]` yields the result
+`Success([f(1).value] + ([f(2).value] + ([f(3).value] + [])))`.
+If you had to compute this expression manually, you'd start with
+`([f(3).value] + [])`, then add `[f(2).value]` to the left, then 
+`[f(1).value]`.
+This is why the method loop iterates with the objects
+from the end, and why the intermediate invariants are
+all about proving `tail == MakeTailRec(obj[i..])`, which
+makes verification succeed easily because we replicate
+exactly the behavior of `MakeTailRec`.
+If we were not interested in the first error but the last one,
+a possible optimization would be, on the first error, to finish
+iterate with a ghost loop that is not executed.
+
+Note that the function definition can be changed by computing
+the tail closer to where it's used or switching the order of computing
+`r` and `tail`, but the `by method` body can stay the same.
+
+### 11.2.18. `{:test}` {#sec-test-attribute}
+This attribute indicates the target function or method is meant
+to be executed at runtime in order to test that the program is working as intended.
+
+There are two different ways to dynamically test functionality in a test:
+
+1. A test can optionally return a single value to indicate success or failure.
+   If it does, this must be a _failure-compatible_ type
+   just as the [update-with-failure statement](#sec-update-with-failure-statement) requires. That is,
+   the returned type must define a `IsFailure()` function method. If `IsFailure()`
+   evaluates to `true` on the return value, the test will be marked a failure, and this
+   return value used as the failure message.
+2. Code in the control flow of the test can use [`expect` statements](#sec-expect-statement)
+   to dynamically test if a boolean expression is true, and cause the test to halt
+   if not (but not the overall testing process). The optional second argument to 
+   a failed `expect` statement will be used as the test failure message.
+
+Note that the `expect` keyword can also be used to form "assign or halt" statements
+such as `var x :- expect CalculateX();`, which is a convenient way to invoke a method
+that may produce a failure within a test without having to return a value from the test.
+
+There are also two different approaches to executing all tests in a program:
+
+1. By default, the compiler will mark each compiled method as necessary so that
+   a designated target language testing framework will discover and run it.
+   This is currently only implemented for C#, using the xUnit `[Fact]` annotation.
+2. If `dafny test` is used, Dafny will instead produce a main method
+   that invokes each test and prints the results.
+   This runner is currently very basic, but avoids introducing any additional target
+   language dependencies in the compiled code.
+
+A method marked `{:test}` may not have any input arguments. If there is an
+output value that does not have a failure-compatible type, that value is 
+ignored. A method that does have input arguments can be wrapped in a test
+harness that supplies input arguments but has no inputs of its own and that
+checks any output values, perhaps with `expect` statements. The test harness
+is then the method marked with `{:test}`.
+
+### 11.2.19. `{:timeLimit N}` {#sec-time-limit}
+Set the time limit for verifying a given function or method.
+
+### 11.2.20. `{:timeLimitMultiplier X}`
+This attribute may be placed on a method or function declaration
+and has an integer argument. If `{:timeLimitMultiplier X}` was
+specified a `{:timeLimit Y}` attribute is passed on to Boogie
+where `Y` is `X` times either the default verification time limit
+for a function or method, or times the value specified by the
+Boogie `-timeLimit` command-line option.
+
+### 11.2.21. `{:transparent}` {#sec-transparent}
+
+By default, the body of a function is transparent to its users. This can be overridden using the `--default-function-opacity` command line flag. If default function opacity is set to `opaque` or `autoRevealDependencies`, then this attribute can be used on functions to make them always non-opaque.
+
+### 11.2.22. `{:verify false}` {#sec-verify}
+     
+Skip verification of a function or a method altogether,
+not even trying to verify the [well-formedness](#sec-assertion-batches) of postconditions and preconditions.
+We discourage using this attribute and prefer [`{:axiom}`](#sec-axiom),
+which performs these minimal checks while not checking that the body satisfies the postconditions.
+
+If you simply want to temporarily disable all verification except on a single function or method, use the [`{:only}`](#sec-only-functions-methods) attribute on that function or method.
+
+### 11.2.23. `{:vcs_max_cost N}` {#sec-vcs_max_cost}
+Per-method version of the command-line option `/vcsMaxCost`.
+
+The [assertion batch](#sec-assertion-batches) of a method
+will not be split unless the cost of an [assertion batch](#sec-assertion-batches) exceeds this
+number, defaults to 2000.0. In
+[keep-going mode](#sec-vcs_max_keep_going_splits), only applies to the first round.
+If [`{:isolate_assertions}`](#sec-isolate_assertions) is set, then this parameter is useless.
+
+### 11.2.24. `{:vcs_max_keep_going_splits N}` {#sec-vcs_max_keep_going_splits}
+
+Per-method version of the command-line option `/vcsMaxKeepGoingSplits`.
+If set to more than 1, activates the _keep going mode_ where, after the first round of splitting,
+[assertion batches](#sec-assertion-batches) that timed out are split into N [assertion batches](#sec-assertion-batches) and retried
+until we succeed proving them, or there is only one
+single assertion that it timeouts (in which
+case an error is reported for that assertion).
+Defaults to 1.
+If [`{:isolate_assertions}`](#sec-isolate_assertions) is set, then this parameter is useless.
+
+### 11.2.25. `{:vcs_max_splits N}` {#sec-vcs_max_splits}
+
+Per-method version of the command-line option `/vcsMaxSplits`.
+Maximal number of [assertion batches](#sec-assertion-batches) generated for this method.
+In [keep-going mode](#sec-vcs_max_keep_going_splits), only applies to the first round.
+Defaults to 1.
+If [`{:isolate_assertions}`](#sec-isolate_assertions) is set, then this parameter is useless.
+
+### 11.2.26. `{:isolate_assertions}` {#sec-isolate_assertions}
+Per-method version of the command-line option<span id="sec-vcs_split_on_every_assert"></span> `/vcsSplitOnEveryAssert`
+
+In the first and only verification round, this option will split the original [assertion batch](#sec-assertion-batches)
+into one assertion batch per assertion.
+This is mostly helpful for debugging which assertion is taking the most time to prove, e.g. to profile them.
+
+### 11.2.27. `{:synthesize}` {#sec-synthesize-attr}
+
+The `{:synthesize}` attribute must be used on methods that have no body and
+return one or more fresh objects. During compilation, 
+the postconditions associated with such a
+method are translated to a series of API calls to the target languages's
+mocking framework. The object returned, therefore, behaves exactly as the
+postconditions specify. If there is a possibility that this behavior violates
+the specifications on the object's instance methods or hardcodes the values of
+its fields, the compiler will throw an error but the compilation will go
+through. Currently, this compilation pass is only supported in C# and requires
+adding the latest version of the Moq library to the .csproj file before
+generating the binary.
+
+Not all Dafny postconditions can be successfully compiled - below is the
+grammar for postconditions that are supported (`S` is the start symbol, `EXPR`
+stands for an arbitrary Dafny expression, and `ID` stands for
+variable/method/type identifiers):
+
+```text
+S         = FORALL
+          | EQUALS
+          | S && S
+EQUALS    = ID.ID (ARGLIST) == EXPR // stubs a function call
+          | ID.ID           == EXPR // stubs field access
+          | EQUALS && EQUALS
+FORALL    = forall BOUNDVARS :: EXPR ==> EQUALS
+ARGLIST   = ID   // this can be one of the bound variables
+          | EXPR // this expr may not reference any of the bound variables
+          | ARGLIST, ARGLIST
+BOUNDVARS = ID : ID
+          | BOUNDVARS, BOUNDVARS
+```
+
+### 11.2.28. `{:options OPT0, OPT1, ... }` {#sec-attr-options}
+
+This attribute applies only to modules. It configures Dafny as if
+`OPT0`, `OPT1`, … had been passed on the command line.  Outside of the module,
+options revert to their previous values.
+
+Only a small subset of Dafny's command line options is supported.  Use the
+`/attrHelp` flag to see which ones.
+
+## 11.3. Attributes on reads and modifies clauses
+
+### 11.3.1. `{:assume_concurrent}`
+This attribute is used to allow non-empty `reads` or `modifies` clauses on methods
+with the `{:concurrent}` attribute, which would otherwise reject them.
+
+In some cases it is possible to know that Dafny code that reads or writes shared mutable state
+is in fact safe to use in a concurrent setting, especially when that state is exclusively ghost.
+Since the semantics of `{:concurrent}` aren't directly expressible in Dafny syntax,
+it isn't possible to express this assumption with an `assume {:axiom} ...` statement.
+
+See also the [`{:concurrent}`](#sec-concurrent-attribute) attribute.
+
+## 11.4. Attributes on assertions, preconditions and postconditions {#sec-verification-attributes-on-assertions}
+
+### 11.4.1. `{:only}` {#sec-only}
+
+`assert {:only} X;` temporarily transforms all other non-`{:only}` assertions in the surrounding declaration into assumptions.
+
+<!-- %no-check -->
+```dafny
+method Test() {
+  assert true;                  // Unchecked
+  assert {:only} true by {      // Checked
+    assert true;                // Checked
+  }
+  assert true;                  // Unchecked
+  assert {:only "after"} true;  // Checked
+  assert true;                  // Checked
+  assert {:only "before"} true; // Checked
+  assert true;                  // Unchecked
+}
+```
+
+`{:only}` can help focusing on a particular proof or a particular branch, as it transforms not only other explicit assertions, but also other implicit assertions, and call requirements, into assumptions.
+Since it's meant to be a temporary construct, it always emits a warning.
+It also has two variants `assert {:only "before"}` and `assert {:only "after"}`.
+Here is precisely how Dafny determines what to verify or not.
+Each `{:only}` annotation defines a "verification interval" which is visual:
+
+* `assert {:only} X [by {...} | ;]` sets a verification interval that starts at the keyword `assert` and ends either at the end of the proof `}` or the semicolon `;`, depending on which variant of `assert` is being used.
+* `assert {:only} ...` inside another verification interval removes that verification interval and sets a new one.
+* `assert {:only "before"} ...` inside another verification interval finishes that verification interval earlier at the end of this assertion. Outside a verification interval, it sets a verification interval from the beginning of the declaration to the end of this assertion, but only if there were no other verification intervals before.
+* `assert {:only "after"} ...` inside another verification interval moves the start of that verification interval to the start of this new assert. Outside a verification interval, it sets a verification interval from the beginning of this `assert` to the end of the declaration.
+
+The start of an asserted expression is used to determines if it's inside a verification interval or not.
+For example, in `assert B ==> (assert {:only "after"} true; C)`, `C` is actually the start of the asserted expression, so it is verified because it's after `assert {:only "after"} true`.
+
+As soon as a declaration contains one `assert {:only}`, none of the postconditions are verified; you'd need to make them explicit with assertions if you wanted to verify them at the same time.
+
+You can also isolate the verification of a single member using [a similar `{:only}` attribute](#sec-only-functions-methods).
+
+### 11.4.2. `{:focus}` {#sec-focus}
+`assert {:focus} X;` splits verification into two [assertion batches](#sec-assertion-batches).
+The first batch considers all assertions that are not on the block containing the `assert {:focus} X;`
+The second batch considers all assertions that are on the block containing the `assert {:focus} X;` and those that will _always_ follow afterwards.
+Hence, it might also occasionally double-report errors.
+If you truly want a split on the batches, prefer [`{:split_here}`](#sec-split_here).
+
+Here are two examples illustrating how `{:focus}` works, where `--` in the comments stands for `Assumption`:
+<!-- %check-verify -->
+```dafny
+method doFocus1(x: bool) returns (y: int) {
+  y := 1;                     // Batch 1    Batch 2
+  assert y == 1;              // Assertion  --
+  if x {
+    if false {
+      assert y >= 0;          // --         Assertion
+      assert {:focus} y <= 2; // --         Assertion
+      y := 2;
+      assert y == 2;          // --         Assertion
+    }
+  } else {
+    assert y == 1;            // Assertion  --
+  }
+  assert y == 1;              // Assertion  Assertion
+  if !x {
+    assert y >= 1;            // Assertion  Assertion
+  } else {
+    assert y <= 1;            // Assertion  Assertion
+  }
+}
+```
+
+And another one where the focused block is guarded with a `while`, resulting in remaining assertions not being part of the first assertion batch:
+<!-- %check-verify -->
+```dafny
+method doFocus2(x: bool) returns (y: int) {
+  y := 1;                     // Batch 1    Batch 2
+  assert y == 1;              // Assertion  --
+  if x {
+    while false {
+      assert y >= 0;          // --         Assertion
+      assert {:focus} y <= 2; // --         Assertion
+      y := 2;
+      assert y == 2;          // --         Assertion
+    }
+  } else {
+    assert y == 1;            // Assertion  --
+  }
+  assert y == 1;              // Assertion  --
+  if !x {
+    assert y >= 1;            // Assertion  --
+  } else {
+    assert y <= 1;            // Assertion  --
+  }
+}
+```
+
+### 11.4.3. `{:split_here}` {#sec-split_here}
+`assert {:split_here} X;` splits verification into two [assertion batches](#sec-assertion-batches).
+It verifies the code leading to this point (excluded) in a first assertion batch,
+and the code leading from this point (included) to the next `{:split_here}` or until the end in a second assertion batch.
+It might help with timeouts.
+
+Here is one example, where `--` in the comments stands for `Assumption`:
+<!-- %check-verify -->
+```dafny
+method doSplitHere(x: bool) returns (y: int) {
+  y := 1;                      // Batch 1    Batch 2     Batch 3
+  assert y >= 0;               // Assertion  --          --
+  if x {
+    assert y <= 1;             // Assertion  --          --
+    assert {:split_here} true; // --         Assertion   --
+    assert y <= 2;             // --         Assertion   --
+    assert {:split_here} true; // --         --          Assertion
+    if x {
+      assert y == 1;           // --         --          Assertion
+    } else {
+      assert y >= 1;           // --         --          Assertion
+    }
+  } else {
+    assert y <= 3;             // Assertion  --          --
+  }
+  assert y >= -1;              // Assertion  --          --
+}
+```
+
+### 11.4.4. `{:subsumption n}`
+Overrides the `/subsumption` command-line setting for this assertion.
+`{:subsumption 0}` checks an assertion but does not assume it after proving it.
+You can achieve the same effect using [labelled assertions](#sec-labeling-revealing-assertions).
+
+### 11.4.5. `{:error "errorMessage", "successMessage"}` {#sec-error-attribute}
+Provides a custom error message in case the assertion fails.
+As a hint, messages indicating what the user needs to do to fix the error are usually better than messages that indicate the error only.
+For example:
+
+<!-- %check-resolve -->
+```dafny
+method Process(instances: int, price: int)
+  requires {:error "There should be an even number of instances", "The number of instances is always even"} instances % 2 == 0
+  requires {:error "Could not prove that the price is positive", "The price is always positive"} price >= 0
+{
+}
+method Test()
+{
+  if * {
+    Process(1, 0); // Error: There should be an even number of instances
+  }
+  if * {
+    Process(2, -1); // Error: Could not prove that the price is positive
+  }
+  if * {
+    Process(2, 5); // Success: The number of instances is always even
+                   // Success: The price is always positive
+  }
+}
+```
+
+The success message is optional but is recommended if errorMessage is set.
+
+### 11.4.6. `{:contradiction}`
+
+Silences warnings about this assertion being involved in a proof using contradictory assumptions when `--warn-contradictory-assumptions` is enabled. This allows clear identification of intentional proofs by contradiction.
+
+## 11.5. Attributes on variable declarations
+
+### 11.5.1. `{:assumption}` {#sec-assumption}
+This attribute can only be placed on a local ghost bool
+variable of a method. Its declaration cannot have a rhs, but it is
+allowed to participate as the lhs of exactly one assignment of the
+form: `b := b && expr;`. Such a variable declaration translates in the
+Boogie output to a declaration followed by an `assume b` command.
+See [@LeinoWuestholz2015], Section 3, for example uses of the `{:assumption}`
+attribute in Boogie.
+
+## 11.6. Attributes on quantifier expressions (forall, exists)
+
+### 11.6.1. `{:heapQuantifier}`
+
+_This attribute has been removed._
+
+### 11.6.2. `{:induction}` {#sec-induction-quantifier}
+See [`{:induction}`](#sec-induction) for functions and methods.
+
+### 11.6.3. `{:trigger}` {#sec-trigger}
+Trigger attributes are used on quantifiers and comprehensions.
+
+The verifier instantiates the body of a quantified expression only when it can find an expression that matches the provided trigger.  
+
+Here is an example:
+<!-- %check-verify Attributes.3.expect -->
+```dafny
+predicate P(i: int)
+predicate Q(i: int)
+
+lemma {:axiom} PHoldEvenly()
+  ensures  forall i {:trigger Q(i)} :: P(i) ==> P(i + 2) && Q(i)
+
+lemma PHoldsForTwo()
+  ensures forall i :: P(i) ==> P(i + 4)
+{
+  forall j: int
+    ensures P(j) ==> P(j + 4)
+  {
+    if P(j) {
+      assert P(j); // Trivial assertion
+      
+      PHoldEvenly();
+      // Invoking the lemma assumes `forall i :: P(i) ==> P(i + 4)`,
+      // but it's not instantiated yet
+      
+      // The verifier sees `Q(j)`, so it instantiates
+      // `forall i :: P(i) ==> P(i + 4)` with `j`
+      // and we get the axiom `P(j) ==> P(j + 2) && Q(j)`
+      assert Q(j);     // hence it can prove `Q(j)`
+      assert P(j + 2); //   and it can prove `P(j + 2)`
+      assert P(j + 4); // But it cannot prove this
+      // because it did not instantiate `forall i :: P(i) ==> P(i + 4)` with `j+2`
+    }
+  }
+}
+```
+
+Here are ways one can prove `assert P(j + 4);`:
+* Add `assert Q(j + 2);` just before `assert P(j + 4);`, so that the verifier sees the trigger.
+* Change the trigger `{:trigger Q(i)}` to `{:trigger P(i)}` (replace the trigger)
+* Change the trigger `{:trigger Q(i)}` to `{:trigger Q(i)} {:trigger P(i)}` (add a trigger)
+* Remove `{:trigger Q(i)}` so that it will automatically determine all possible triggers thanks to the option `/autoTriggers:1` which is the default.
+
+
+## 11.7. Deprecated attributes
+
+These attributes have been deprecated or removed. They are no longer useful (or perhaps never were) or were experimental.
+They will likely be removed entirely sometime soon after the release of Dafny 4.
+
+Removed:
+- :heapQuantifier
+- :dllimport
+- :handle
+
+Deprecated:
+- :opaque : This attribute has been promoted to a first-class modifier for functions. Find more information [here](#sec-opaque).
+
+## 11.8. Other undocumented verification attributes
+
+A scan of Dafny's sources shows it checks for the
+following attributes.
+
+* `{:$}`
+* `{:$renamed$}`
+* `{:InlineAssume}`
+* `{:PossiblyUnreachable}`
+* `{:__dominator_enabled}`
+* `{:__enabled}`
+* `{:a##post##}`
+* `{:absdomain}`
+* `{:ah}`
+* `{:assumption}`
+* `{:assumption_variable_initialization}`
+* `{:atomic}`
+* `{:aux}`
+* `{:both}`
+* `{:bvbuiltin}`
+* `{:candidate}`
+* `{:captureState}`
+* `{:checksum}`
+* `{:constructor}`
+* `{:datatype}`
+* `{:do_not_predicate}`
+* `{:entrypoint}`
+* `{:existential}`
+* `{:exitAssert}`
+* `{:expand}`
+* `{:extern}`
+* `{:focus}`
+* `{:hidden}`
+* `{:ignore}`
+* `{:inline}`
+* `{:left}`
+* `{:linear}`
+* `{:linear_in}`
+* `{:linear_out}`
+* `{:msg}`
+* `{:name}`
+* `{:originated_from_invariant}`
+* `{:partition}`
+* `{:positive}`
+* `{:post}`
+* `{:pre}`
+* `{:precondition_previous_snapshot}`
+* `{:qid}`
+* `{:right}`
+* `{:selective_checking}`
+* `{:si_fcall}`
+* `{:si_unique_call}`
+* `{:sourcefile}`
+* `{:sourceline}`
+* `{:split_here}`
+* `{:stage_active}`
+* `{:stage_complete}`
+* `{:staged_houdini_tag}`
+* `{:start_checking_here}`
+* `{:subsumption}`
+* `{:template}`
+* `{:terminates}`
+* `{:upper}`
+* `{:verified_under}`
+* `{:weight}`
+* `{:yields}`
+
+## 11.9. New attribute syntax {#sec-at-attributes}
+
+There is a new syntax for typed prefix attributes that is being added: `@Attribute(...)`.
+For now, the new syntax works only as top-level declarations. When all previous attributes will be migrated, this section will be rewritten. For example, you can write
+
+<!-- %check-resolve -->
+```dafny
+@IsolateAssertions
+method Test() {
+}
+```
+
+instead of
+
+<!-- %check-resolve -->
+```dafny
+method {:isolate_assertions} Test() {
+}
+```
+
+
+Dafny rewrites `@`-attributes to old-style equivalent attributes. The definition of these attributes is similar to the following:
+
+<!-- %no-check -->
+```dafny
+datatype Attribute =
+  | AutoContracts
+  | AutoRequires
+  | AutoRevealDependenciesAll
+  | AutoRevealDependencies
+  | Axiom
+  | Compile(bool)
+  | Concurrent
+  | DisableNonlinearArithmetic
+  | Fuel(low: int, high: int := low + 1, functionName: string := "")
+  | IsolateAssertions
+  | NativeUInt8 | NativeInt8 ... | NativeUInt128 | NativeInt128 | NativeInt | NativeNone | NativeIntOrReal
+  | Options(string)
+  | Print
+  | Priority(weight: int)
+  | ResourceLimit(value: string)
+  | Synthesize
+  | TimeLimit(amount: int)
+  | TimeLimitMultiplier(multiplier: int)
+  | TailRecursion
+  | Test
+  | TestEntry
+  | TestInline(amount: int)
+  | Transparent
+  | VcsMaxCost
+  | VcsMaxKeepGoingSplits
+  | VcsMaxSplits
+  | Verify(verify: bool)
+  | VerifyOnly
+  
+```
+
+@-attributes have the same checks as regular resolved datatype values
+* The attribute should exist
+* Arguments should be compatible with the parameters, like for a datatype constructor call
+
+However, @-attributes have more checks:
+* The attribute should be applied to a place where it can be used by Dafny
+* Arguments should be literals
diff --git a/v4.10.0/DafnyRef/CommandLineOptions.md b/v4.10.0/DafnyRef/CommandLineOptions.md
new file mode 100644
index 0000000..3bf4243
--- /dev/null
+++ b/v4.10.0/DafnyRef/CommandLineOptions.md
@@ -0,0 +1,3 @@
+# 16. Full list of legacy command-line options {#sec-full-command-line-options} <!-- PDFOMIT -->
+For the on-line version only, the output of `dafny -?` follows. Note that with the advent of [dafny commands](#sec-dafny-commands), many options are only applicable to some (if any) commands, some are renamed, and some are obsolete and will eventually be removed. <!--PDFOMIT-->
+{% include_relative Options.txt %} <!-- PDFOMIT -->
diff --git a/v4.10.0/DafnyRef/DafnyRef.bib b/v4.10.0/DafnyRef/DafnyRef.bib
new file mode 100644
index 0000000..17311c3
--- /dev/null
+++ b/v4.10.0/DafnyRef/DafnyRef.bib
@@ -0,0 +1,55 @@
+@Misc{MSR:dafny:main,
+  author = {K. Rustan M. Leino},
+  title = {Main Microsoft Research Dafny Web page},
+  year = 2008,
+  note = "Available at \url{http://research.microsoft.com/en-us/projects/dafny}"
+}
+@Misc{MSR:dafny:source,
+  author = {K. Rustan  M. Leino et al},
+  title = {Dafny Source Code},
+  note = "Available at \url{http://dafny.codeplex.com}"
+}
+@Misc{MSR:dafny:quickref,
+  author = {K. Rustan  M. Leino},
+  title = {Dafny Quick Reference},
+  note = "Available at \url{http://research.microsoft.com/en-us/projects/dafny/reference.aspx}"
+}
+@Misc{Linz:Coco,
+  author = {Hanspeter M{\"{o}}ssenb{\"{o}}ck and Markus L{\"{o}}berbauer and Albrecht W{\"{o}}{\ss}},
+  title = {The Compiler Generator Coco/R},
+  howpublished = {Open source from University of Linz},
+  year = 2013,
+  note = "Available at \url{http://www.ssw.uni-linz.ac.at/Research/Projects/Coco/}"
+}
+@Misc{LEINO:Dafny:Calc,
+  author = {K. Rustan M. Leino and Nadia Polikarpova},
+  title = {Verified Calculations},
+  howpublished = {Manuscript KRML 231},
+  year = 2013,
+  note = "Available at \url{http://research.microsoft.com/en-us/um/people/leino/papers/krml231.pdf}"
+}
+@Misc{LEINO:Dafny:Coinduction,
+  author = {K. Rustan M. Leino and Michal Moskal},
+  title = {Co-induction Simply: Automatic Co-inductive Proofs in a Program Verifier},
+  howpublished = {Manuscript KRML 230},
+  year = 2014,
+  note = "Available at \url{http://research.microsoft.com/en-us/um/people/leino/papers/krml230.pdf}"
+}
+@Misc{LEINO:Dafny:DynamicFrames,
+  author = {K. Rustan M. Leino},
+  title = {Dynamic-frame specifications in Dafny},
+  howpublished = {JML seminar, Dagstuhl, Germany},
+  year = 2009,
+  note = "Available at \url{http://research.microsoft.com/en-us/um/people/leino/papers/dafny-jml-dagstuhl-2009.pptx}"
+}
+@inproceedings{LeinoWuestholz2015,
+  author      = {K. Rustan M. Leino and Valentin W{\"{u}}stholz},
+  title       = {Fine-grained Caching of Verification Results},
+  booktitle   = {Computer Aided Verification (CAV)},
+  editor      = {Daniel Kroening and Corina S. Pasareanu},
+  year        = {2015},
+  publisher   = {Springer},
+  series      = {Lecture Notes in Computer Science},
+  pages       = {380--397},
+  volume      = {9206},
+}
diff --git a/v4.10.0/DafnyRef/DafnyRef.md b/v4.10.0/DafnyRef/DafnyRef.md
new file mode 100644
index 0000000..0d435b3
--- /dev/null
+++ b/v4.10.0/DafnyRef/DafnyRef.md
@@ -0,0 +1,80 @@
+---
+layout: default
+---
+<link rel="stylesheet" href="../assets/main.css">
+<link rel="icon" href="../images/dafny-favicon.png" type="image/png">
+<link rel="icon" href="../images/dafny-favicon.svg" type="image/svg+xml">
+
+<script src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
+
+<font size="+4"><p style="text-align: center;">Dafny Reference Manual</p></font> <!-- PDFOMIT -->
+<p style="text-align: center;">The dafny-lang community</p> <!-- PDFOMIT -->
+<p style="text-align: center;"><script> document.write(new Date(document.lastModified)); </script></p> <!-- PDFOMIT -->
+<p style="text-align: center;">
+{% include_relative version.txt %} <!-- PDFOMIT -->
+</p>
+<!--PDF NEWPAGE-->
+
+**Abstract:**
+This is the Dafny reference manual; it describes the Dafny programming
+language and how to use the Dafny verification system.
+Parts of this manual are more tutorial in nature in order to help the
+user understand how to do proofs with Dafny.
+
+[(Link to current document as html)](https://dafny-lang.github.io/dafny/DafnyRef/DafnyRef)
+
+- numbered toc
+{:toc}
+
+{% include_relative Introduction.md %}
+
+<!--PDF NEWPAGE-->
+{% include_relative Grammar.md %}
+
+<!--PDF NEWPAGE-->
+{% include_relative Programs.md %}
+
+<!--PDF NEWPAGE-->
+{% include_relative Modules.md %}
+
+<!--PDF NEWPAGE-->
+{% include_relative Types.md %}
+
+<!--PDF NEWPAGE-->
+{% include_relative Specifications.md %}
+
+<!--PDF NEWPAGE-->
+{% include_relative Statements.md %}
+
+<!--PDF NEWPAGE-->
+{% include_relative Expressions.md %}
+
+<!--PDF NEWPAGE-->
+{% include_relative Refinement.md %}
+
+<!--PDF NEWPAGE-->
+{% include_relative Attributes.md %}
+
+<!--PDF NEWPAGE-->
+{% include_relative Topics.md %}
+
+<!--PDF NEWPAGE-->
+{% include_relative UserGuide.md %}
+
+<!--PDF NEWPAGE-->
+{% include_relative VSCodeIDE.md %}
+
+<!--PDF NEWPAGE-->
+{% include_relative Plugins.md %}
+
+<!--PDF NEWPAGE-->
+{% include_relative CommandLineOptions.md %}
+
+<!--PDF NEWPAGE-->
+{% include_relative GrammarDetails.md %}
+
+{% include_relative SyntaxTests.md %}
+
+<!--PDF NEWPAGE-->
+
+# 19. References
diff --git a/v4.10.0/DafnyRef/Expressions.1.expect b/v4.10.0/DafnyRef/Expressions.1.expect
new file mode 100644
index 0000000..7f7d14c
--- /dev/null
+++ b/v4.10.0/DafnyRef/Expressions.1.expect
@@ -0,0 +1,3 @@
+text.dfy(13,5): Error: possible division by zero
+
+Dafny program verifier finished with 3 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Expressions.2.expect b/v4.10.0/DafnyRef/Expressions.2.expect
new file mode 100644
index 0000000..a7fde48
--- /dev/null
+++ b/v4.10.0/DafnyRef/Expressions.2.expect
@@ -0,0 +1,5 @@
+text.dfy(16,11): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+text.dfy(17,11): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+text.dfy(18,11): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+
+Dafny program verifier finished with 1 verified, 0 errors
diff --git a/v4.10.0/DafnyRef/Expressions.3.expect b/v4.10.0/DafnyRef/Expressions.3.expect
new file mode 100644
index 0000000..6ef178b
--- /dev/null
+++ b/v4.10.0/DafnyRef/Expressions.3.expect
@@ -0,0 +1,3 @@
+text.dfy(18,11): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+
+Dafny program verifier finished with 2 verified, 0 errors
diff --git a/v4.10.0/DafnyRef/Expressions.4.expect b/v4.10.0/DafnyRef/Expressions.4.expect
new file mode 100644
index 0000000..189701d
--- /dev/null
+++ b/v4.10.0/DafnyRef/Expressions.4.expect
@@ -0,0 +1,4 @@
+text.dfy(11,25): Error: source of datatype update must be constructed by 'MyOtherConstructor'
+text.dfy(21,17): Error: source of datatype update must be constructed by 'MyNumericConstructor'
+
+Dafny program verifier finished with 0 verified, 2 errors
diff --git a/v4.10.0/DafnyRef/Expressions.5.expect b/v4.10.0/DafnyRef/Expressions.5.expect
new file mode 100644
index 0000000..ecbb16a
--- /dev/null
+++ b/v4.10.0/DafnyRef/Expressions.5.expect
@@ -0,0 +1,3 @@
+text.dfy(2,2): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
\ No newline at end of file
diff --git a/v4.10.0/DafnyRef/Expressions.md b/v4.10.0/DafnyRef/Expressions.md
new file mode 100644
index 0000000..9cdafdc
--- /dev/null
+++ b/v4.10.0/DafnyRef/Expressions.md
@@ -0,0 +1,1955 @@
+# 9. Expressions {#sec-expressions}
+
+Dafny expressions come in three flavors.
+- The bulk of expressions have no side-effects and can be used within
+methods, functions, and specifications, and in either compiled or ghost code.
+- Some expressions, called [right-hand-side expressions](#sec-rhs-expression),
+do have side-effects and may only be used in specific syntactic locations,
+such as the right-hand-side of update (assignment) statements; 
+object allocation and method calls are two typical examples of [right-hand-side expressions](#sec-rhs-expression). Note that method calls are syntactically
+indistinguishable from function calls; both are Expressions ([PrimaryExpressions](#sec-primary-expression)
+with an [ArgumentList suffix](#sec-argument-list-suffix)). However, method calls are semantically permitted
+only in right-hand-side expression locations.
+- Some expressions are allowed only in specifications and other ghost code,
+as listed [here](#sec-list-of-specification-expressions).
+
+The grammar of Dafny expressions follows a hierarchy that
+reflects the precedence of Dafny operators. The following
+table shows the Dafny operators and their precedence
+in order of increasing binding power.
+
+ operator                 | precedence | description
+--------------------------|:----------:|-----------------------
+ `;`                      | 0 | That is [LemmaCall; Expression](#sec-top-level-expression)
+--------------------------|------------------------------------
+ `<==>`                   | 1 | [equivalence (if and only if)](#sec-equivalence-expression)
+--------------------------|------------------------------------
+ `==>`                    | 2 | [implication (implies)](#sec-implies-expression)
+ `<==`                    | 2 | [reverse implication (follows from)](#sec-implies-expression)
+--------------------------|------------------------------------
+ `&&`, `&`                | 3 | [conjunction (and)](#sec-logical-expression)
+ `||`, `|`                | 3 | [disjunction (or)](#sec-logical-expression)
+--------------------------|------------------------------------
+ `==`                     | 4 | equality
+ `==#[k]`                 | 4 | [prefix equality (coinductive)](#sec-co-equality)
+ `!=`                     | 4 | disequality
+ `!=#[k]`                 | 4 | [prefix disequality (coinductive)](#sec-co-equality)
+ `<`                      | 4 | less than
+ `<=`                     | 4 | at most
+ `>=`                     | 4 | at least
+ `>`                      | 4 | greater than
+ `in`                     | 4 | collection membership
+ `!in`                    | 4 | collection non-membership
+ `!!`                     | 4 | disjointness
+--------------------------|------------------------------------
+ `<<`                     | 5 | [left-shift](#sec-bit-shift-expression)
+ `>>`                     | 5 | [right-shift](#sec-bit-shift-expression)
+--------------------------|------------------------------------
+ `+`                      | 6 | addition (plus)
+ `-`                      | 6 | subtraction (minus)
+--------------------------|------------------------------------
+ `*`                      | 7 | multiplication (times)
+ `/`                      | 7 | division (divided by)
+ `%`                      | 7 | modulus (mod)
+--------------------------|------------------------------------
+ `|`                      | 8 | [bit-wise or](#sec-bitvector-expression)
+ `&`                      | 8 | [bit-wise and](#sec-bitvector-expression)
+ `^`                      | 8 | [bit-wise exclusive-or (not equal)](#sec-bitvector-expression)
+--------------------------|------------------------------------
+ `as` operation           | 9 | [type conversion](#sec-as-is-expression)
+ `is` operation           | 9 | [type test](#sec-as-is-expression)
+--------------------------|------------------------------------
+ `-`                      | 10 | arithmetic negation (unary minus)
+ `!`                      | 10 | logical negation, bit-wise complement
+--------------------------|------------------------------------
+ Primary Expressions      | 11 |
+
+
+## 9.1. Lemma-call expressions ([grammar](#g-top-level-expression)) {#sec-top-level-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+var a := L(a,b); a*b
+```
+
+This expression has the form `S; E`.
+The type of the expression is the type of `E`.
+`S` must be a lemma call (though the grammar appears more lenient).
+The lemma introduces a fact necessary to establish properties of `E`.
+
+Sometimes an expression will fail unless some relevant fact is known.
+In the following example the `F_Fails` function fails to verify
+because the `Fact(n)` divisor may be zero. But preceding
+the expression by a lemma that ensures that the denominator
+is not zero allows function `F_Succeeds` to succeed.
+<!-- %check-verify Expressions.1.expect -->
+```dafny
+function Fact(n: nat): nat
+{
+  if n == 0 then 1 else n * Fact(n-1)
+}
+
+lemma L(n: nat)
+  ensures 1 <= Fact(n)
+{
+}
+
+function F_Fails(n: nat): int
+{
+  50 / Fact(n)  // error: possible division by zero
+}
+
+function F_Succeeds(n: nat): int
+{
+  L(n); // note, this is a lemma call in an expression
+  50 / Fact(n)
+}
+```
+
+One restriction is that a lemma call in this form is permitted only in situations in which the expression itself is not terminated by a semicolon.
+
+A second restriction is that `E` is not always permitted to contain lambda expressions, such 
+as in the expressions that are the body of a lambda expression itself, function, method and iterator specifications,
+and if and while statements with guarded alternatives.
+
+A third restriction is that `E` is not always permitted to contain a bit-wise or (`|`) operator, 
+because it would be ambiguous with the vertical bar used in comprehension expressions.
+
+Note that the effect of the lemma call only extends to the succeeding expression `E` (which may be another `;` expression).
+
+## 9.2. Equivalence Expressions ([grammar](#g-equivalence-expression)) {#sec-equivalence-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+A
+A <==> B
+A <==> C ==> D <==> B 
+```
+
+An Equivalence Expression that contains one or more `<==>`s is
+a boolean expression and all the operands
+must also be boolean expressions. In that case each `<==>`
+operator tests for logical equality which is the same as
+ordinary equality (but with a different precedence).
+
+See [Section 5.2.1.1](#sec-equivalence-operator) for an explanation of the
+`<==>` operator as compared with the `==` operator.
+
+The `<==>` operator is commutative and associative: `A <==> B <==> C` and `(A <==> B) <==> C` and `A <==> (B <==> C)` and `C <==> B <==> A`
+are all equivalent and are all true iff an even number of operands are false.
+
+## 9.3. Implies or Explies Expressions ([grammar](#g-implies-expression)) {#sec-implies-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+A ==> B
+A ==> B ==> C ==> D
+B <== A
+```
+
+See [Section 5.2.1.3](#sec-implication-and-reverse-implication) for an explanation
+of the `==>` and `<==` operators.
+
+## 9.4. Logical Expressions ([grammar](#g-logical-expression)) {#sec-logical-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+A && B
+A || B
+&& A && B && C
+```
+
+Note that the Dafny grammar allows a conjunction or disjunction to be
+_prefixed_ with `&&` or `||` respectively. This form simply allows a
+parallel structure to be written:
+<!-- %check-resolve -->
+```dafny
+method m(x: object?, y:object?, z: object?) {
+  var b: bool :=
+    && x != null
+    && y != null
+    && z != null
+    ;
+}
+```
+This is purely a syntactic convenience allowing easy edits such as reordering
+lines or commenting out lines without having to check that the infix
+operators are always where they should be.
+
+Note also that `&&` and `||` cannot be mixed without using parentheses:
+`A && B || C` is not permitted. Write `(A && B) || C` or `A && (B || C)` instead.
+
+See [Section 5.2.1.2](#sec-conjunction-and-disjunction) for an explanation
+of the `&&` and `||` operators.
+
+## 9.5. Relational Expressions ([grammar](#g-relational-expression)) {#sec-relational-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+x == y
+x != y
+x < y
+x >= y
+x in y
+x ! in y
+x !! y
+x ==#[k] y
+```
+
+The relation expressions compare two or more terms.
+As explained in [the section about basic types](#sec-basic-type), `==`, `!=`, ``<``, `>`, `<=`, and `>=`
+are _chaining_.
+
+The `in` and `!in` operators apply to collection types as explained in
+[Section 5.5](#sec-collection-types) and represent membership or non-membership
+respectively.
+
+The `!!` represents disjointness for sets and multisets as explained in
+[Section 5.5.1](#sec-sets) and [Section 5.5.2](#sec-multisets).
+
+`x ==#[k] y` is the prefix equality operator that compares
+coinductive values for equality to a nesting level of k, as
+explained in [the section about co-equality](#sec-co-equality).
+
+## 9.6. Bit Shifts ([grammar](#g-bit-shift-expression)) {#sec-bit-shift-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+k << 5
+j >> i
+```
+
+These operators are the left and right shift operators for bit-vector values.
+They take a bit-vector value and an `int`, shifting the bits by the given
+amount; the result has the same bit-vector type as the LHS.
+For the expression to be well-defined, the RHS value must be in the range 0 to the number of
+bits in the bit-vector type, inclusive.
+
+The operations are left-associative: `a << i >> j` is `(a << i) >> j`.
+
+## 9.7. Terms ([grammar](#g-term)) {#sec-addition-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+x + y - z
+```
+
+`Terms` combine `Factors` by adding or subtracting.
+Addition has these meanings for different types:
+
+* arithmetic addition for numeric types ([Section 5.2.2](#sec-numeric-types)])
+* union for sets and multisets ([Section 5.5.1](#sec-sets) and [Section 5.5.2](#sec-multisets))
+* concatenation for sequences ([Section 5.5.3](#sec-sequences))
+* map merging for maps ([Section 5.5.4](#sec-maps))
+
+Subtraction is 
+
+* arithmetic subtraction for numeric types
+* set or multiset subtraction for sets and multisets
+* domain subtraction for maps.
+
+All addition operations are associative. Arithmetic addition and union are commutative. Subtraction is neither; it groups to the left as expected:
+`x - y -z` is `(x - y) -z`.
+
+## 9.8. Factors ([grammar](#g-factor)) {#sec-multiplication-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+x * y
+x / y
+x % y
+```
+
+A ``Factor`` combines expressions using multiplication,
+division, or modulus. For numeric types these are explained in
+[Section 5.2.2](#sec-numeric-types).
+As explained there, `/` and `%` on `int` values represent _Euclidean_
+integer division and modulus and not the typical C-like programming
+language operations.
+
+Only `*` has a non-numeric application. It represents set or multiset
+intersection as explained in [Section 5.5.1](#sec-sets) and [Section 5.5.2](#sec-multisets).
+
+`*` is commutative and associative; `/` and `%` are neither but do group to the left.
+
+## 9.9. Bit-vector Operations ([grammar](#g-bit-vector-expression)) {#sec-bitvector-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+x | y
+x & y
+x ^ y
+```
+
+
+These operations take two bit-vector values of the same type, returning
+a value of the same type. The operations perform bit-wise _or_ (`|`),
+_and_ (`&`), and _exclusive-or_ (`^`). To perform bit-wise equality, use
+`^` and `!` (unary complement) together. (`==` is boolean equality of the whole bit-vector.)
+
+These operations are associative and commutative but do not associate with each other.
+Use parentheses: `a & b | c` is illegal; use `(a & b) | c` or `a & (b | c)`
+instead.
+
+Bit-vector operations are not allowed in some contexts.
+The `|` symbol is used both for bit-wise or and as the delimiter in a
+[cardinality](#sec-cardinality-expression) expression: an ambiguity arises if
+the expression E in `| E |` contains a `|`. This situation is easily
+remedied: just enclose E in parentheses, as in `|(E)|`.
+The only type-correct way this can happen is if the expression is
+a comprehension, as in `| set x: int :: x | 0x101 |`.
+
+## 9.10. As (Conversion) and Is (type test) Expressions ([grammar](#g-as-is-expression)) {#sec-as-is-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+e as MyClass
+i as bv8
+e is MyClass
+```
+
+The `as` expression converts the given LHS to the type stated on the RHS,
+with the result being of the given type. The following combinations
+of conversions are permitted:
+
+* Any type to itself
+* Any int or real based numeric type or bit-vector type to another int or real based numeric type or bit-vector type
+* Any base type to a subset or newtype with that base
+* Any subset or newtype to its base type or a subset or newtype of the same base
+* Any type to a subset or newtype that has the type as its base
+* Any trait to a class or trait that extends (perhaps recursively) that trait
+* Any class or trait to a trait extended by that class or trait
+
+Some of the conversions above are already implicitly allowed, without the
+`as` operation, such as from a subset type to its base. In any case, it
+must be able to be proved that the value of the given expression is a
+legal value of the given type. For example, `5 as MyType` is permitted (by the verifier) only if `5` is a legitimate value of`MyType` (which must be a numeric type).
+
+The `as` operation is like a grammatical suffix or postfix operation.
+However, note that the unary operations bind more tightly than does `as`.
+That is `- 5 as nat` is `(- 5) as nat` (which fails), whereas `a * b as nat`
+is `a * (b as nat)`. On the other hand, `- a[4]` is `- (a[4])`.
+
+The `is` expression is grammatically similar to the `as` expression, with the
+same binding power. The `is` expression is a type test that
+returns a `bool` value indicating whether the LHS expression is a legal
+value of the RHS type. The expression can be used to check
+whether a trait value is of a particular class type. That is, the expression
+in effect checks the allocated type of a trait.
+
+The RHS type of an `is` expression can always be a supertype of the type of the LHS
+expression, in which case the result is trivally true. 
+Other than that, the RHS must be based on a reference type and the
+LHS expression must be assignable to the RHS type. Furthermore, in order to be
+compilable, the RHS type must not be a subset type other than a non-null reference
+type, and the type parameters of the RHS must be uniquely determined from the
+type parameters of the LHS type. The last restriction is designed to make it
+possible to perform type tests without inspecting type parameters at run time.
+For example, consider the following types:
+
+<!-- %check-resolve -->
+```dafny
+trait A { }
+trait B<X> { }
+class C<Y> extends B<Y> { }
+class D<Y(==)> extends B<set<Y>> { }
+class E extends B<int> { }
+class F<Z> extends A { }
+```
+
+A LHS expression of type `B<set<int>>` can be used in a type test where the RHS is
+`B<set<int>>`, `C<set<int>>`, or `D<int>`, and a LHS expression of type `B<int>`
+can be used in a type test where the RHS is `B<int>`, `C<int>`, or `E`. Those
+are always allowed in compiled (and ghost) contexts.
+For an expression `a` of type `A`, the expression `a is F<int>` is a ghost expression;
+it can be used in ghost contexts, but not in compiled contexts.
+
+For an expression `e` and type `t`, `e is t` is the condition determining whether
+`e as t` is well-defined (but, as noted above, is not always a legal expression).
+
+*The repertoire of types allowed in `is` tests may be expanded in the future.*
+
+## 9.11. Unary Expressions ([grammar](#g-unary-expression)) {#sec-unary-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+-x
+- - x
+! x
+```
+
+A unary expression applies 
+
+- logical complement (`!` -- [Section 5.2.1](#sec-booleans)),
+- bit-wise complement (`!` -- [Section 5.2.3](#sec-bit-vector-types)),
+- numeric negation (`-` -- [Section 5.2.2](#sec-numeric-types)), or
+- bit-vector negation (`-` -- [Section 5.2.3](#sec-bit-vector-types))
+
+to its operand.
+
+## 9.12. Primary Expressions ([grammar](#g-primary-expression)) {#sec-primary-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+true
+34
+M(i,j)
+b.c.d
+[1,2,3]
+{2,3,4}
+map[1 => 2, 3 => 4]
+(i:int,j:int)=>i+j
+if b then 4 else 5
+```
+
+After descending through all the binary and unary operators we arrive at
+the primary expressions, which are explained in subsequent sections. 
+A number of these can be followed by 0 or more suffixes
+to select a component of the value.
+
+## 9.13. Lambda expressions ([grammar](#g-lambda-expression)) {#sec-lambda-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+x => -x
+_ => true
+(x,y) => x*y
+(x:int, b:bool) => if b then x else -x
+x requires x > 0 => x-1
+```
+
+See [Section 7.4](#sec-lambda-specification) for a description of specifications for lambda expressions.
+
+In addition to named functions, Dafny supports expressions that define
+functions.  These are called _lambda (expression)s_ (some languages
+know them as _anonymous functions_).  A lambda expression has the
+form:
+<!-- %no-check -->
+```dafny
+( _params_ ) _specification_ => _body_
+```
+where _params_ is a comma-delimited list of parameter
+declarations, each of which has the form `x` or `x: T`.  The type `T`
+of a parameter can be omitted when it can be inferred.  If the
+identifier `x` is not needed, it can be replaced by `_`.  If
+_params_ consists of a single parameter `x` (or `_`) without an
+explicit type, then the parentheses can be dropped; for example, the
+function that returns the successor of a given integer can be written
+as the following lambda expression:
+<!-- %no-check -->
+```dafny
+x => x + 1
+```
+
+The _specification_ is a list of clauses `requires E` or
+`reads W`, where `E` is a boolean expression and `W` is a frame
+expression.
+
+_body_ is an expression that defines the function's return
+value.  The body must be [well-formed](#sec-assertion-batches) for all possible values of the
+parameters that satisfy the precondition (just like the bodies of
+named functions and methods).  In some cases, this means it is
+necessary to write explicit `requires` and `reads` clauses.  For
+example, the lambda expression
+<!-- %no-check -->
+```dafny
+x requires x != 0 => 100 / x
+```
+would not be [well-formed](#sec-assertion-batches) if the `requires` clause were omitted,
+because of the possibility of division-by-zero.
+
+In settings where functions cannot be partial and there are no
+restrictions on reading the heap, the _eta expansion_ of a function
+`F: T -> U` (that is, the wrapping of `F` inside a lambda expression
+in such a way that the lambda expression is equivalent to `F`) would
+be written `x => F(x)`.  In Dafny, eta expansion must also account for
+the precondition and reads set of the function, so the eta expansion
+of `F` looks like:
+<!-- %no-check -->
+```dafny
+x requires F.requires(x) reads F.reads(x) => F(x)
+```
+
+## 9.14. Left-Hand-Side Expressions ([grammar](#g-lhs-expression)) {#sec-lhs-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+x
+a[k]
+LibraryModule.F().x
+old(o.f).x
+```
+
+A left-hand-side expression is only used on the left hand
+side of an [Update statement](#sec-update-and-call-statement)
+or an [Update with Failure Statement](#sec-update-with-failure-statement).
+
+An LHS can be
+
+- a simple identifier: `k`
+- an expression with a dot suffix: `this.x`, `f(k).y`
+- an expression with an array selection: `a[k]`, `f(a8)[6]`
+
+## 9.15. Right-Hand-Side Expressions ([grammar](#g-rhs-expression)) {#sec-rhs-expression}
+
+Examples: 
+<!-- %no-check -->
+```dafny
+new int[6]
+new MyClass
+new MyClass(x,y,z)
+x+y+z
+*
+```
+
+A Right-Hand-Side expression is an expression-like construct that may have 
+side-effects. Consequently such expressions
+ can only be used within certain statements
+within methods, and not as general expressions or within functions or specifications.
+
+An RHS is either an array allocation, an object allocation,
+a havoc right-hand-side, a method call, or a simple expression, optionally followed
+by one or more attributes.
+
+Right-hand-side expressions (that are not just regular expressions) appear in the following constructs:
+
+- [return statements](#sec-return-statement),
+- [yield statements](#sec-yield-statement),
+- [update statements](#sec-update-and-call-statement),
+- [update-with-failure statements](#sec-update-with-failure-statement), or
+- [variable declaration statements](#sec-variable-declaration-statement).
+
+These are the only contexts in which arrays or objects may be
+allocated or in which havoc may be stipulated.
+
+## 9.16. Array Allocation ([grammar](#g-array-allocation-expression)) {#sec-array-allocation}
+
+Examples:
+<!-- %no-check -->
+```dafny
+new int[5,6]
+new int[5][2,3,5,7,11]
+new int[][2,3,5,7,11]
+new int[5](i => i*i)
+new int[2,3]((i,j) => i*j)
+```
+
+This right-hand-side expression allocates a new single or multi-dimensional array (cf. [Section 5.10](#sec-array-type)).
+The initialization portion is optional. One form is an
+explicit list of values, in which case the dimension is optional:
+<!-- %no-check -->
+```dafny
+var a := new int[5];
+var b := new int[5][2,3,5,7,11];
+var c := new int[][2,3,5,7,11];
+var d := new int[3][4,5,6,7]; // error
+```
+The comprehension form requires a dimension and uses a function of
+type `nat -> T` where `T` is the array element type:
+<!-- %no-check -->
+```dafny
+var a := new int[5](i => i*i);
+```
+
+To allocate a multi-dimensional array, simply give the sizes of
+each dimension. For example,
+<!-- %no-check -->
+```dafny
+var m := new real[640, 480];
+```
+allocates a 640-by-480 two-dimensional array of `real`s. The initialization
+portion cannot give a display of elements like in the one-dimensional
+case, but it can use an initialization function. A function used to initialize
+a n-dimensional array requires a function from n `nat`s to a `T`, where `T`
+is the element type of the array. Here is an example:
+<!-- %no-check -->
+```dafny
+var diag := new int[30, 30]((i, j) => if i == j then 1 else 0);
+```
+
+Array allocation is permitted in ghost contexts. If any expression
+used to specify a dimension or initialization value is ghost, then the
+`new` allocation can only be used in ghost contexts. Because the
+elements of an array are non-ghost, an array allocated in a ghost
+context in effect cannot be changed after initialization.
+
+## 9.17. Object Allocation ([grammar](#g-object-allocation-expression)) {#sec-object-allocation}
+
+Examples:
+<!-- %no-check -->
+```dafny
+new MyClass
+new MyClass.Init
+new MyClass.Init(1,2,3)
+```
+
+This right-hand-side expression 
+allocates a new object of a class type as explained
+in section [Class Types](#sec-class-types).
+
+## 9.18. Havoc Right-Hand-Side ([grammar](#g-havoc-expression)) {#sec-havoc-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+*
+```
+A havoc right-hand-side is just a `*` character.
+It produces an arbitrary value of its associated
+type. The "assign-such-that"
+operator (`:|`) can be used to obtain a more constrained arbitrary value. 
+See [Section 8.5](#sec-update-and-call-statement).
+
+## 9.19. Constant Or Atomic Expressions ([grammar](#g-atomic-expression)) {#sec-atomic-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+this
+null
+5
+5.5
+true
+'a'
+"dafny"
+( e )
+| s |
+old(x)
+allocated(x)
+unchanged(x)
+fresh(e)
+assigned(x)
+```
+
+These expressions are never l-values. They include
+
+- [literal expressions](#sec-literal-expression)
+- [parenthesized expressions](#sec-parenthesized-expression)
+- [`this` expressions](#sec-this-expression)
+- [fresh expressions](#sec-fresh-expression)
+- [allocated expressions](#sec-allocated-expression)
+- [unchanged expressions](#sec-unchanged-expression)
+- [old expressions](#sec-old-expression)
+- [cardinality expressions](#sec-cardinality-expression)
+- [assigned expressions](#sec-assigned-expression)
+
+## 9.20. Literal Expressions ([grammar](#g-literal-expression)} {#sec-literal-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+5
+5.5
+true
+'a'
+"dafny"
+```
+
+A literal expression is a null object reference or a boolean,
+integer, real, character or string literal.
+
+## 9.21. `this` Expression ([grammar](#g-this-expression)) {#sec-this-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+this
+```
+
+The `this` token denotes the current object in the context of 
+a constructor, instance method, or instance function.
+
+
+## 9.22. Old and Old@ Expressions ([grammar](#g-old-expression)) {#sec-old-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+old(c)
+old@L(c)
+```
+
+An _old expression_ is used in postconditions or in the body of a method
+or in the body or specification of any two-state function or two-state lemma;
+an _old_ expression with a label is used only in the body of a method at a point
+where the label dominates its use in the expression.
+
+`old(e)` evaluates
+the argument using the value of the heap on entry to the method;
+`old@ident(e)` evaluates the argument using the value of the heap at the
+given statement label.
+
+Note that **old** and **old@** only affect heap dereferences,
+like `o.f` and `a[i]`.
+In particular, neither form has any effect on the value returned for local
+variables or out-parameters (as they are not on the heap).[^Old]
+If the value of an entire expression at a
+particular point in the method body is needed later on in the method body,
+the clearest means is to declare a ghost variable, initializing it to the
+expression in question.
+If the argument of `old` is a local variable or out-parameter. Dafny issues a warning.
+
+[^Old]: The semantics of `old` in Dafny differs from similar constructs in other specification languages like ACSL or JML.
+
+The argument of an `old` expression may not contain nested `old`,
+[`fresh`](#sec-fresh-expression),
+or [`unchanged`](#sec-unchanged-expression) expressions,
+nor [two-state functions](#sec-two-state) or [two-state lemmas](#sec-two-state-lemma).
+
+Here are some explanatory examples. All `assert` statements verify to be true.
+<!-- %check-verify-warn Expressions.2.expect -->
+```dafny
+class A {
+
+  var value: int
+
+  method m(i: int)
+    requires i == 6
+    requires value == 42
+    modifies this
+  {
+    var j: int := 17;
+    value := 43;
+    label L:
+    j := 18;
+    value := 44;
+    label M:
+    assert old(i) == 6; // i is local, but can't be changed anyway
+    assert old(j) == 18; // j is local and not affected by old
+    assert old@L(j) == 18; // j is local and not affected by old
+    assert old(value) == 42;
+    assert old@L(value) == 43;
+    assert old@M(value) == 44 && this.value == 44;
+    // value is this.value; 'this' is the same
+    // same reference in current and pre state but the
+    // values stored in the heap as its fields are different;
+    // '.value' evaluates to 42 in the pre-state, 43 at L,
+    // and 44 in the current state
+  }
+}
+```
+<!-- %check-verify -->
+```dafny
+class A {
+  var value: int
+  constructor ()
+     ensures value == 10
+  {
+     value := 10;
+  }
+}
+
+class B {
+   var a: A
+   constructor () { a := new A(); }
+
+   method m()
+     requires a.value == 11
+     modifies this, this.a
+   {
+     label L:
+     a.value := 12;
+     label M:
+     a := new A(); // Line X
+     label N:
+     a.value := 20;
+     label P:
+
+     assert old(a.value) == 11;
+     assert old(a).value == 12; // this.a is from pre-state,
+                                // but .value in current state
+     assert old@L(a.value) == 11;
+     assert old@L(a).value == 12; // same as above
+     assert old@M(a.value) == 12; // .value in M state is 12
+     assert old@M(a).value == 12;
+     assert old@N(a.value) == 10; // this.a in N is the heap
+                                  // reference at Line X
+     assert old@N(a).value == 20; // .value in current state is 20
+     assert old@P(a.value) == 20;
+     assert old@P(a).value == 20;
+  }
+}
+```
+<!-- %check-verify -->
+```dafny
+class A {
+  var value: int
+  constructor ()
+     ensures value == 10
+  {
+     value := 10;
+  }
+}
+
+class B {
+   var a: A
+   constructor () { a := new A(); }
+
+   method m()
+     requires a.value == 11
+     modifies this, this.a
+   {
+     label L:
+     a.value := 12;
+     label M:
+     a := new A(); // Line X
+     label N:
+     a.value := 20;
+     label P:
+
+     assert old(a.value) == 11;
+     assert old(a).value == 12; // this.a is from pre-state,
+                                // but .value in current state
+     assert old@L(a.value) == 11;
+     assert old@L(a).value == 12; // same as above
+     assert old@M(a.value) == 12; // .value in M state is 12
+     assert old@M(a).value == 12;
+     assert old@N(a.value) == 10; // this.a in N is the heap
+                                  // reference at Line X
+     assert old@N(a).value == 20; // .value in current state is 20
+     assert old@P(a.value) == 20;
+     assert old@P(a).value == 20;
+  }
+}
+```
+The next example demonstrates the interaction between `old` and array elements.
+<!-- %check-verify-warn Expressions.3.expect -->
+```dafny
+class A {
+  var z1: array<nat>
+  var z2: array<nat>
+
+  method mm()
+    requires z1.Length > 10 && z1[0] == 7
+    requires z2.Length > 10 && z2[0] == 17
+    modifies z2
+  {
+    var a: array<nat> := z1;
+    assert a[0] == 7;
+    a := z2;
+    assert a[0] == 17;
+    assert old(a[0]) == 17; // a is local with value z2
+    z2[0] := 27;
+    assert old(a[0]) == 17; // a is local, with current value of
+                            // z2; in pre-state z2[0] == 17
+    assert old(a)[0] == 27; // a is local, so old(a) has no effect
+  }
+}
+```
+## 9.23. Fresh Expressions ([grammar](#g-fresh-expression)) {#sec-fresh-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+fresh(e)
+fresh@L(e)
+```
+
+`fresh(e)` returns a boolean value that is true if
+the objects denoted by expression `e` were all
+freshly allocated since the time of entry to the enclosing method,
+or since [`label L:`](#sec-labeled-statement) in the variant `fresh@L(e)`.
+The argument is an object or set of objects.
+For example, consider this valid program:
+
+<!-- %check-verify -->
+```dafny
+class C { constructor() {} }
+method f(c1: C) returns (r: C)
+  ensures fresh(r)
+{
+  assert !fresh(c1);
+  var c2 := new C();
+  label AfterC2:
+  var c3 := new C();
+  assert fresh(c2) && fresh(c3);
+  assert fresh({c2, c3});
+  assert !fresh@AfterC2(c2) && fresh@AfterC2(c3);
+  r := c2;
+}
+```
+
+The `L` in the variant `fresh@L(e)` must denote a [label](#sec-labeled-statement) that, in the
+enclosing method's control flow, [dominates the expression](#sec-labeled-statement). In this
+case, `fresh@L(e)` returns `true` if the objects denoted by `e` were all
+freshly allocated since control flow reached label `L`.
+
+The argument of `fresh` must be either an [`object`](#sec-object-type) reference
+or a set or sequence of object references.
+In this case, `fresh(e)` (respectively `fresh@L(e)` with a label)
+is a synonym of [`old(!allocated(e))`](#sec-allocated-expression)
+(respectively [`old@L(!allocated(e))`](#sec-allocated-expression))
+
+
+## 9.24. Allocated Expressions ([grammar](#g-allocated-expression)) {#sec-allocated-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+allocated(c)
+allocated({c1,c2})
+```
+
+For any expression `e`, the expression `allocated(e)` evaluates to `true`
+in a state if the value of `e` is available in that state, meaning that
+it could in principle have been the value of a variable in that state.
+
+For example, consider this valid program:
+
+<!-- %check-verify -->
+```dafny
+class C { constructor() {} }
+datatype D = Nil | Cons(C, D)
+method f() {
+  var d1, d2 := Nil, Nil;
+  var c1 := new C();
+  label L1:
+  var c2 := new C();
+  label L2:
+  assert old(allocated(d1) && allocated(d2));
+  d1 := Cons(c1, Nil);
+  assert old(!allocated(d1) && allocated(d2));
+  d2 := Cons(c2, Nil);
+  assert old(!allocated(d1) && !allocated(d2));
+  assert allocated(d1) && allocated(d2);
+  assert old@L1(allocated(d1) && !allocated(d2));
+  assert old@L2(allocated(d1) && allocated(d2));
+  d1 := Nil;
+  assert old(allocated(d1) && !allocated(d2));
+}
+```
+
+This can be useful when, for example, `allocated(e)` is evaluated in an
+[`old`](#sec-old-expression) state. Like in the example, where `d1` is a local variable holding a datatype value
+`Cons(c1, Nil)` where `c1` is an object that was allocated in the enclosing
+method, then [`old(allocated(d))`](#sec-old-expression) is `false`.
+
+If the expression `e` is of a reference type, then `!old(allocated(e))`
+is the same as [`fresh(e)`](#sec-fresh-expression).
+
+
+## 9.25. Unchanged Expressions ([grammar](#g-unchanged-expression)) {#sec-unchanged-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+unchanged(c)
+unchanged([c1,c2])
+unchanged@L(c)
+```
+
+The `unchanged` expression returns `true` if and only if every reference
+denoted by its arguments has the same value for all its fields in the
+old and current state. For example, if `c` is an object with two
+fields, `x` and `y`, then `unchanged(c)` is equivalent to
+<!-- %no-check -->
+```dafny
+c.x == old(c.x) && c.y == old(c.y)
+```
+
+Each argument to `unchanged` can be a reference, a set of references, or
+a sequence of references, each optionally followed by a back-tick and field name. 
+This form with a frame field expresses that just the field `f`,
+not necessarily all fields, has the same value in the old and current
+state.
+If there is such a frame field, all the references must have the same type,
+which must have a field of that name.
+
+The optional `@`-label says to use the state at that label as the old-state instead of using
+the `old` state (the pre-state of the method). That is, using the example `c` from above, the expression
+`unchanged@Lbl(c)` is equivalent to
+<!-- %no-check -->
+```dafny
+c.x == old@Lbl(c.x) && c.y == old@Lbl(c.y)
+```
+
+Each reference denoted by the arguments of `unchanged` must be non-null and
+must be allocated in the old-state of the expression.
+
+
+## 9.26. Cardinality Expressions ([grammar](#g-cardinality-expression)) {#sec-cardinality-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+|s|
+|s[1..i]|
+```
+
+For a finite-collection expression `c`, `|c|` is the cardinality of `c`. For a
+finite set or sequence, the cardinality is the number of elements. For
+a multiset, the cardinality is the sum of the multiplicities of the
+elements. For a finite map, the cardinality is the cardinality of the
+domain of the map. Cardinality is not defined for infinite sets or infinite maps.
+For more information, see [Section 5.5](#sec-collection-types).
+
+## 9.27. Parenthesized Expressions ([grammar](#g-parenthesized-expression)) {#sec-parenthesized-expression}
+
+A parenthesized expression is a list of zero or more expressions
+enclosed in parentheses.
+
+If there is exactly one expression enclosed then the value is just
+the value of that expression.
+
+If there are zero or more than one, the result is a `tuple` value.
+See [Section 5.13](#sec-tuple-types).
+
+## 9.28. Sequence Display Expression ([grammar](#g-sequence-display-expression)) {#sec-seq-comprehension}
+
+Examples:
+<!-- %no-check -->
+```dafny
+[1, 2, 3]
+[1]
+[]
+seq(k, n => n+1)
+```
+
+A sequence display expression provides a way to construct
+a sequence with given values. For example
+
+<!-- %no-check -->
+```dafny
+[1, 2, 3]
+```
+is a sequence with three elements in it.
+
+<!-- %no-check -->
+```dafny
+seq(k, n => n+1)
+```
+is a sequence of k elements whose values are obtained by evaluating the
+second argument (a function, in this case a lambda expression) on the indices 0 up to k.
+
+See [this section](#sec-sequences) for more information on
+sequences.
+
+## 9.29. Set Display Expression ([grammar](#g-set-display-expression)) {#sec-set-display-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+{}
+{1,2,3}
+iset{1,2,3,4}
+multiset{1,2,2,3,3,3}
+multiset(s)
+```
+
+A set display expression provides a way of constructing a set with given
+elements. If the keyword `iset` is present, then a potentially infinite
+set (with the finite set of given elements) is constructed.
+
+For example
+
+<!-- %no-check -->
+```dafny
+{1, 2, 3}
+```
+is a set with three elements in it.
+See [Section 5.5.1](#sec-sets) for more information on
+sets.
+
+A multiset display expression provides a way of constructing
+a multiset with given elements and multiplicities. For example
+
+<!-- %no-check -->
+```dafny
+multiset{1, 1, 2, 3}
+```
+is a multiset with three elements in it. The number 1 has a multiplicity of 2,
+and the numbers 2 and 3 each have a multiplicity of 1.
+
+A multiset cast expression converts a set or a sequence
+into a multiset as shown here:
+
+<!-- %no-check -->
+```dafny
+var s : set<int> := {1, 2, 3};
+var ms : multiset<int> := multiset(s);
+ms := ms + multiset{1};
+var sq : seq<int> := [1, 1, 2, 3];
+var ms2 : multiset<int> := multiset(sq);
+assert ms == ms2;
+```
+
+Note that `multiset{1, 1}` is a multiset holding the value `1` with multiplicity 2,
+but in `multiset({1,1})` the multiplicity is 1, because the expression `{1,1}` is the set `{1}`,
+which is then converted to a multiset.
+
+See [Section 5.5.2](#sec-multisets) for more information on multisets.
+
+## 9.30. Map Display Expression ([grammar](#g-map-display-expression)) {#sec-map-display-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+map[]
+map[1 := "a", 2 := "b"]
+imap[1 := "a", 2 := "b"]
+```
+
+A map display expression builds a finite or potentially infinite
+map from explicit mappings. For example:
+
+<!-- %check-resolve -->
+```dafny
+const m := map[1 := "a", 2 := "b"]
+ghost const im := imap[1 := "a", 2 := "b"]
+```
+
+See [Section 5.5.4](#sec-maps) for more details on maps and imaps.
+
+## 9.31. Endless Expression ([grammar](#g-endless-expression)) {#sec-endless-expression}
+
+_Endless expression_ gets it name from the fact that all its alternate
+productions have no terminating symbol to end them, but rather they
+all end with an arbitrary expression at the end. The various
+endless expression alternatives are described in the following subsections.
+
+### 9.31.1. If Expression ([grammar](#g-if-expression)) {#sec-if-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+if c then e1 else e2
+if x: int :| P(x) then x else 0
+```
+
+
+An _if expression_ is a conditional (ternary) expression. It first evaluates
+the condition expression that follows the `if`. If the condition evaluates to `true` then
+the expression following the `then` is evaluated and its value is the
+result of the expression. If the condition evaluates to `false` then the
+expression following the `else` is evaluated and that value is the result
+of the expression. It is important that only the selected expression
+is evaluated as the following example shows.
+
+<!-- %no-check -->
+```dafny
+var k := 10 / x; // error, may divide by 0.
+var m := if x != 0 then 10 / x else 1; // ok, guarded
+```
+
+The `if` expression also permits a binding form.
+In this case the condition of the `if` is an existential asking
+"does there exist a value satisfying the given predicate?".
+If not, the else branch is evaluated. But if so, then an
+(arbitrary) value that does satisfy the given predicate is
+bound to the given variable and that variable is in scope in 
+the then-branch of the expression.
+
+For example, in the code
+<!-- %check-verify -->
+```dafny
+predicate P(x: int) {
+  x == 5 || x == -5
+}
+method main() {
+  assert P(5);
+  var y := if x: int :| P(x) then x else 0;
+  assert y == 5 || y == -5;
+}
+```
+`x` is given some value that satisfies `P(x)`, namely either `5` or `-5`.
+That value of `x` is the value of the expression in the `then` branch above; if there is no value satisfying `P(x)`,
+then `0` is returned. Note that if `x` is declared to be a `nat` in this example, then only
+the value `5` would be permissible.
+
+This binding form of the `if` expression acts in the same way as the binding form of the [`if` statement](#sec-if-statement).
+
+In the example given, the binder for `x` has no constraining range, so the expression is `ghost`;
+if a range is given, such as `var y := if x: int :| 0 <= x < 10 && P(x) then x else 0;`,
+then the `if` and `y` are no longer ghost, and `y` could be used, for example, in a `print` statement.
+
+### 9.31.2. Case and Extended Patterns ([grammar](#g-pattern)) {#sec-case-pattern}
+
+Patterns are used for (possibly nested)
+pattern matching on inductive, coinductive or base type values.
+They are used in 
+[match statements](#sec-match-statement),
+[match expressions](#sec-match-expression),
+[let expressions](#sec-let-expression),
+and [variable declarations](#sec-variable-declaration-statement).
+The match expressions and statements allow literals,
+symbolic constants, and disjunctive (“or”) patterns.
+
+When matching an inductive or coinductive value in
+a match statement or expression, the pattern
+must correspond to one of the following:
+
+* (0) a case disjunction (“or-pattern”)
+* (1) bound variable (a simple identifier),
+* (2) a constructor of the type of the value,
+* (3) a literal of the correct type, or
+* (4) a symbolic constant.
+
+If the extended pattern is
+
+* a sequence of `|`-separated sub-patterns, then the pattern matches values
+  matched by any of the sub-patterns.
+* a parentheses-enclosed possibly-empty list of patterns,
+then the pattern matches a tuple.
+* an identifier followed
+by a parentheses-enclosed possibly-empty list of patterns, then the pattern
+matches a constructor.
+* a literal, then the pattern matches exactly that literal.
+* a simple identifier, then the pattern matches
+   * a parameter-less constructor if there is one defined with the correct type and the given name, else
+   * the value of a symbolic constant, if a name lookup finds a declaration for
+     a constant with the given name (if the name is declared but with a non-matching type, a type resolution error will occur),
+   * otherwise, the identifier is a new bound variable
+
+Disjunctive patterns may not bind variables, and may not be nested inside other
+patterns.
+
+Any patterns inside the parentheses of a constructor (or tuple) pattern are then
+matched against the arguments that were given to the
+constructor when the value was constructed.
+The number of patterns must match the number
+of parameters to the constructor (or the arity of the
+tuple).
+
+When matching a value of base type, the pattern should
+either be a literal expression of the same type as the value,
+or a single identifier matching all values of this type.
+
+Patterns may be nested. The  bound variable
+identifiers contained in all the patterns must be distinct.
+They are bound to the corresponding values in the value being
+matched. (Thus, for example, one cannot repeat a bound variable to
+attempt to match a constructor that has two identical arguments.)
+
+### 9.31.3. Match Expression ([grammar](#g-match-expression)) {#sec-match-expression}
+
+A _match expression_ is used to conditionally evaluate and select an
+expression depending on the value of an algebraic type, i.e. an inductive
+type, a coinductive type, or a base type.
+
+All of the variables in the patterns must be distinct.
+If types for the identifiers are not given then types are inferred
+from the types of the constructor's parameters. If types are
+given then they must agree with the types of the
+corresponding parameters.
+
+The expression following the `match` keyword is called the
+_selector_. A match expression is evaluated by first evaluating the selector.
+The patterns of each match alternative are then compared, in order,
+ with the resulting value until a matching pattern is found, as described in
+the [section on case bindings](#sec-case-pattern).
+If the constructor had
+parameters, then the actual values used to construct the selector
+value are bound to the identifiers in the identifier list.
+The expression to the right of the `=>` in the matched alternative is then
+evaluated in the environment enriched by this binding. The result
+of that evaluation is the result of the match expression.
+
+Note that the braces enclosing the sequence of match alternatives may be omitted.
+Those braces are required if lemma or lambda expressions are used in the
+body of any match alternative; they may also be needed for disambiguation if
+there are nested match expressions.
+
+### 9.31.4. Quantifier Expression ([grammar](#g-quantifier-expression)) {#sec-quantifier-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+forall x: int :: x > 0
+forall x: nat | x < 10 :: x*x < 100
+exists x: int :: x * x == 25
+```
+
+A _quantifier expression_ is a boolean expression that specifies that a
+given expression (the one following the `::`) is true for all (for
+**forall**) or some (for **exists**) combination of values of the
+quantified variables, namely those in the given quantifier domain.
+See [Section 2.7.4](#sec-quantifier-domains) for more details on quantifier domains.
+
+Here are some examples:
+<!-- %no-check -->
+```dafny
+assert forall x : nat | x <= 5 :: x * x <= 25;
+(forall n :: 2 <= n ==> (exists d :: n < d < 2*n))
+assert forall x: nat | 0 <= x < |s|, y <- s[x] :: y < x;
+```
+
+The quantifier identifiers are _bound_ within the scope of the
+expressions in the quantifier expression.
+
+If types are not given for the quantified identifiers, then Dafny
+attempts to infer their types from the context of the expressions.
+It this is not possible, the program is in error.
+
+
+### 9.31.5. Set Comprehension Expressions ([grammar](#g-set-comprehension-expression)) {#sec-set-comprehension-expression}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+const c1 := set x: nat | x < 100
+const c2 := set x: nat | x < 100 :: x * x
+const c3 := set x: nat, y: nat | x < y < 100 :: x * y
+ghost const c4 := iset x: nat | x > 100
+ghost const c5: iset<int> := iset s
+const c6 := set x <- c3 :: x + 1
+```
+
+A set comprehension expression is an expression that yields a set
+(possibly infinite only if `iset` is used) that
+satisfies specified conditions. There are two basic forms.
+
+If there is only one quantified variable, the optional ``"::" Expression``
+need not be supplied, in which case it is as if it had been supplied
+and the expression consists solely of the quantified variable.
+That is,
+
+<!-- %no-check -->
+```dafny
+set x : T | P(x)
+```
+
+is equivalent to
+
+<!-- %no-check -->
+```dafny
+set x : T | P(x) :: x
+```
+
+For the full form
+
+<!-- %no-check -->
+```dafny
+var S := set x1: T1 <- C1 | P1(x1),
+             x2: T2 <- C2 | P2(x1, x2),
+             ... 
+             :: Q(x1, x2, ...)
+```
+
+the elements of `S` will be all values resulting from evaluation of `Q(x1, x2, ...)`
+for all combinations of quantified variables `x1, x2, ...` (from their respective `C1, C2, ...`
+domains) such that all predicates `P1(x1), P2(x1, x2), ...` hold. 
+
+For example,
+
+<!-- %no-check -->
+```dafny
+var S := set x:nat, y:nat | x < y < 3 :: (x, y)
+```
+yields `S == {(0, 1), (0, 2), (1, 2) }`
+
+The types on the quantified variables are optional and if not given Dafny
+will attempt to infer them from the contexts in which they are used in the
+various expressions. The `<- C` domain expressions are also optional and default to
+`iset x: T` (i.e. all values of the variable's type), as are the `| P` expressions which
+default to `true`. See also [Section 2.7.4](#sec-quantifier-domains) for more details on quantifier domains.
+
+If a finite set was specified ("set" keyword used), Dafny must be able to prove that the
+result is finite otherwise the set comprehension expression will not be
+accepted.
+
+Set comprehensions involving reference types such as
+
+<!-- %no-check -->
+```dafny
+set o: object
+```
+
+are allowed in ghost expressions within methods, but not in ghost functions[^set-of-objects-not-in-functions].
+In particular, in ghost contexts, the
+check that the result is finite should allow any set comprehension
+where the bound variable is of a reference type. In non-ghost contexts,
+it is not allowed, because--even though the resulting set would be
+finite--it is not pleasant or practical to compute at run time.
+
+[^set-of-objects-not-in-functions]: In order to be deterministic, the result of a function should only depend on the arguments and of the objects  it [reads](#sec-reads-clause), and Dafny does not provide a way to explicitly pass the entire heap as the argument to a function. See [this post](https://github.com/dafny-lang/dafny/issues/1366) for more insights.
+
+The universe in which set comprehensions are evaluated is the set of all
+_allocated_ objects, of the appropriate type and satisfying the given predicate.
+For example, given
+
+<!-- %check-resolve -->
+```dafny
+class I {
+  var i: int
+}
+
+method test() {
+  ghost var m := set x: I :: 0 <= x.i <= 10;
+}
+```
+the set `m` contains only those instances of `I` that have been allocated
+at the point in program execution that `test` is evaluated. This could be
+no instances, one per value of `x.i` in the stated range, multiple instances
+of `I` for each value of `x.i`, or any other combination.
+
+### 9.31.6. Statements in an Expression ([grammar](#g-statement-in-expression)) {#sec-statement-in-an-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+assert x != 0; 10/x
+assert x != 0; assert y > 0; y/x
+assume x != 0; 10/x
+expect x != 0; 10/x
+reveal M.f; M.f(x)
+calc { x * 0; == 0; } x/1;
+```
+
+A ``StmtInExpr`` is a kind of statement that is allowed to
+precede an expression in order to ensure that the expression
+can be evaluated without error. For example:
+
+<!-- %no-check -->
+```dafny
+assume x != 0; 10/x
+```
+
+`Assert`, `assume`, `expect`, `reveal` and `calc` statements can be used in this way.
+
+### 9.31.7. Let and Let or Fail Expression ([grammar](#g-let-expression)) {#sec-let-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+var x := f(y); x*x
+var x :- f(y); x*x
+var x :| P(x); x*x
+var (x, y) := T(); x + y   // T returns a tuple
+var R(x,y) := T(); x + y   // T returns a datatype value R
+```
+
+
+A `let` expression allows binding of intermediate values to identifiers
+for use in an expression. The start of the `let` expression is
+signaled by the `var` keyword. They look much like a local variable
+declaration except the scope of the variable only extends to the
+enclosed expression.
+
+For example:
+<!-- %no-check -->
+```dafny
+var sum := x + y; sum * sum
+```
+
+In the simple case, the pattern is just an identifier with optional
+type (which if missing is inferred from the rhs).
+
+The more complex case allows destructuring of constructor expressions.
+For example:
+
+<!-- %check-resolve -->
+```dafny
+datatype Stuff = SCons(x: int, y: int) | Other
+function GhostF(z: Stuff): int
+  requires z.SCons?
+{
+  var SCons(u, v) := z; var sum := u + v; sum * sum
+}
+```
+
+The Let expression has a failure variant
+that simply uses `:-` instead of `:=`. This Let-or-Fail expression also permits propagating
+failure results. However, in statements ([Section 8.6](#sec-update-with-failure-statement)), failure results in
+immediate return from the method; expressions do not have side effects or immediate return
+mechanisms. Rather, if the expression to the right of `:-` results in a failure value `V`,
+the overall expression returns `V.PropagateFailure()`; if there is no failure, the expression following the 
+semicolon is returned. Note that these two possible return values must have the same type (or be 
+implicitly convertible to the same type). Typically that means that `tmp.PropagateFailure()` is a failure value and
+`E` is a value-carrying success value, both of the same failure-compatible type, 
+as described in [Section 8.6](#sec-update-with-failure-statement).
+
+The expression `:- V; E` is desugared into the _expression_
+<!-- %no-check -->
+```dafny
+var tmp := V;
+if tmp.IsFailure()
+then tmp.PropagateFailure()
+else E
+```
+
+The expression `var v :- V; E` is desugared into the _expression_
+<!-- %no-check -->
+```dafny
+var tmp := V;
+if tmp.IsFailure()
+then tmp.PropagateFailure()
+else var v := tmp.Extract(); E
+```
+
+If the RHS is a list of expressions then the desugaring is similar. `var v, v1 :- V, V1; E` becomes
+<!-- %no-check -->
+```dafny
+var tmp := V;
+if tmp.IsFailure()
+then tmp.PropagateFailure()
+else var v, v1 := tmp.Extract(), V1; E
+```
+
+So, if tmp is a failure value, then a corresponding failure value is propagated along; otherwise, the expression
+is evaluated as normal.
+
+### 9.31.8. Map Comprehension Expression ([grammar](#g-map-comprehension-expression)) {#sec-map-comprehension-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+map x : int | 0 <= x <= 10 :: x * x;
+map x : int | 0 <= x <= 10 :: -x := x * x;
+imap x : int | 10 < x :: x * x;
+```
+
+A _map comprehension expression_  defines a finite or infinite map value
+by defining a domain and for each value in the domain,
+giving the mapped value using the expression following the "::".
+See [Section 2.7.4](#sec-quantifier-domains) for more details on quantifier domains.
+
+For example:
+<!-- %check-resolve -->
+```dafny
+function square(x : int) : int { x * x }
+method test()
+{
+  var m := map x : int | 0 <= x <= 10 :: x * x;
+  ghost var im := imap x : int :: x * x;
+  ghost var im2 := imap x : int :: square(x);
+}
+```
+
+Dafny finite maps must be finite, so the domain must be constrained to be finite.
+But imaps may be infinite as the examples show. The last example shows
+creation of an infinite map that gives the same results as a function.
+
+If the expression includes the `:=` token, that token separates
+domain values from range values. For example, in the following code
+<!-- %check-resolve -->
+```dafny
+method test()
+{
+  var m := map x : int | 1 <= x <= 10 :: 2*x := 3*x;
+}
+```
+`m` maps `2` to `3`, `4` to `6`, and so on.
+
+## 9.32. Name Segment ([grammar](#g-name-segment)) {#sec-name-segment}
+
+Examples:
+<!-- %no-check -->
+```dafny
+I
+I<int,C>
+I#[k]
+I#<int>[k]
+```
+
+A _name segment_ names a Dafny entity by giving its declared
+name optionally followed by information to
+make the name more complete. For the simple case, it is
+just an identifier. Note that a name segment may be followed
+by [suffixes](#sec-suffix), including the common '.' and further name segments.
+
+If the identifier is for a generic entity, it is followed by
+a ``GenericInstantiation`` which provides actual types for
+the type parameters.
+
+To reference a prefix predicate (see [Section 5.14.3.5](#sec-copredicates)) or
+prefix lemma (see [Section 5.14.3.6.3](#sec-prefix-lemmas)), the identifier
+must be the name of the greatest predicate or greatest lemma and it must be
+followed by a [_hash call_](#sec-hash-call).
+
+## 9.33. Hash call ([grammar](#g-hash-call)) {#sec-hash-call}
+
+A _hash call_  is used to call the prefix for a greatest predicate or greatest lemma.
+In the non-generic case, just insert `"#[k]"` before the call argument
+list where k is the number of recursion levels.
+
+In the case where the `greatest lemma` is generic, the generic type
+argument is given before. Here is an example:
+
+<!-- %check-verify -->
+```dafny
+codatatype Stream<T> = Nil | Cons(head: int, stuff: T,
+                                  tail: Stream<T>)
+
+function append(M: Stream, N: Stream): Stream
+{
+  match M
+  case Nil => N
+  case Cons(t, s, M') => Cons(t, s, append(M', N))
+}
+
+function zeros<T>(s : T): Stream<T>
+{
+  Cons(0, s, zeros(s))
+}
+
+function ones<T>(s: T): Stream<T>
+{
+  Cons(1, s, ones(s))
+}
+
+greatest predicate atmost(a: Stream, b: Stream)
+{
+  match a
+  case Nil => true
+  case Cons(h,s,t) => b.Cons? && h <= b.head && atmost(t, b.tail)
+}
+
+greatest lemma {:induction false} Theorem0<T>(s: T)
+  ensures atmost(zeros(s), ones(s))
+{
+  // the following shows two equivalent ways to state the
+  // coinductive hypothesis
+  if (*) {
+    Theorem0#<T>[_k-1](s);
+  } else {
+    Theorem0(s);
+  }
+}
+```
+
+where the ``HashCall`` is `"Theorem0#<T>[_k-1](s);"`.
+See [Section 5.14.3.5](#sec-copredicates) and [Section 5.14.3.6.3](#sec-prefix-lemmas).
+
+## 9.34. Suffix ([grammar](#g-suffix)) {#sec-suffix}
+
+A _suffix_ describes ways of deriving a new value from
+the entity to which the suffix is appended. The several kinds
+of suffixes are described below.
+
+### 9.34.1. Augmented Dot Suffix ([grammar](#g-augmented-dot-suffix)) {#sec-augmented-dot-suffix}
+
+Examples: (expression with suffix)
+<!-- %no-check -->
+```dafny
+a.b
+(a).b<int>
+a.b#[k]
+a.b#<int>[k]
+```
+
+An augmented dot suffix consists of a simple [dot suffix](#sec-identifier-variations) optionally
+followed by either
+
+* a ``GenericInstantiation`` (for the case where the item
+selected by the ``DotSuffix`` is generic), or
+* a ``HashCall`` for the case where we want to call a prefix predicate
+  or prefix lemma. The result is the result of calling the prefix predicate
+  or prefix lemma.
+
+### 9.34.2. Datatype Update Suffix ([grammar](#g-datatype-update-suffix)) {#sec-datatype-update-suffix}
+
+Examples: (expression with suffix)
+<!-- %no-check -->
+```dafny
+a.(f := e1, g:= e2)
+a.(0 := e1)
+(e).(f := e1, g:= e2)
+```
+
+A _datatype update suffix_ is used to produce a new datatype value
+that is the same as an old datatype value except that the
+value corresponding to a given destructor has the specified value.
+In a _member binding update_, the given identifier (or digit sequence) is the
+name of a destructor (i.e. the formal parameter name) for one of the
+constructors of the datatype. The expression to the right of the
+`:=` is the new value for that formal.
+
+All of the destructors in a datatype update suffix must be
+for the same constructor, and if they do not cover all of the
+destructors for that constructor then the datatype value being
+updated must have a value derived from that same constructor.
+
+Here is an example:
+
+<!-- %check-verify Expressions.4.expect -->
+```dafny
+module NewSyntax {
+  datatype MyDataType = MyConstructor(myint:int, mybool:bool)
+                    | MyOtherConstructor(otherbool:bool)
+                    | MyNumericConstructor(42:int)
+
+  method test(datum:MyDataType, x:int)
+    returns (abc:MyDataType, def:MyDataType,
+             ghi:MyDataType, jkl:MyDataType)
+    requires datum.MyConstructor?
+    ensures abc == datum.(myint := x + 2)
+    ensures def == datum.(otherbool := !datum.mybool)  // error
+    ensures ghi == datum.(myint := 2).(mybool := false)
+    // Resolution error: no non_destructor in MyDataType
+    //ensures jkl == datum.(non_destructor := 5) // error
+    ensures jkl == datum.(42 := 7)
+  {
+    abc := MyConstructor(x + 2, datum.mybool);
+    abc := datum.(myint := x + 2);
+    def := MyOtherConstructor(!datum.mybool);
+    ghi := MyConstructor(2, false);
+    jkl := datum.(42 := 7); // error
+
+    assert abc.(myint := abc.myint - 2) == datum.(myint := x);
+  }
+}
+```
+
+### 9.34.3. Subsequence Suffix ([grammar](#g-subsequence-suffix)) {#sec-subsequence-suffix}
+
+Examples: (with leading expression)
+<!-- %no-check -->
+```dafny
+a[lo .. hi ]
+(e)[ lo .. ]
+e[ .. hi ]
+e[ .. ]
+```
+
+A subsequence suffix applied to a sequence produces a new sequence whose
+elements are taken from a contiguous part of the original sequence. For
+example, expression `s[lo..hi]` for sequence `s`, and integer-based
+numeric bounds `lo` and `hi` satisfying `0 <= lo <= hi <= |s|`. See
+[the section about other sequence expressions](#sec-other-sequence-expressions) for details.
+
+A subsequence suffix applied to an array produces a _sequence_ consisting of 
+the values of the designated elements. A concise way of converting a whole 
+array to a sequence is to write `a[..]`.
+
+### 9.34.4. Subsequence Slices Suffix ([grammar](#g-subsequence-slices-suffix)) {#sec-subsequence-slices-suffix}
+
+Examples: (with leading expression)
+<!-- %no-check -->
+```dafny
+a[ 0 : 2 : 3 ]
+a[ e1 : e2 : e3 ]
+a[ 0 : 2 : ]
+```
+
+Applying a _subsequence slices suffix_ to a sequence produces a
+sequence of subsequences of the original sequence.
+See [the section about other sequence expressions](#sec-other-sequence-expressions) for details.
+
+### 9.34.5. Sequence Update Suffix ([grammar](#g-sequence-update-suffix)) {#sec-sequence-update-suffix}
+
+Examples:
+<!-- %no-check -->
+```dafny
+s[1 := 2, 3 := 4]
+```
+
+For a sequence `s` and expressions `i` and `v`, the expression
+`s[i := v]` is the same as the sequence `s` except that at
+index `i` it has value `v`.
+
+If the type of `s` is `seq<T>`, then `v` must have type `T`.
+The index `i` can have any integer- or bit-vector-based type
+(this is one situation in which Dafny implements implicit
+conversion, as if an `as int` were appended to the index expression).
+The expression `s[i := v]` has the same type as `s`.
+
+### 9.34.6. Selection Suffix ([grammar](#g-selection-suffix)) {#sec-selection-suffix}
+
+Examples:
+<!-- %no-check -->
+```dafny
+a[9]
+a[i.j.k]
+```
+
+If a selection suffix  has only one expression in it, it is a
+zero-based index that may be used to select a single element of a
+sequence or from a single-dimensional array.
+
+If a selection suffix has more than one expression in it, then
+it is a list of indices to index into a multi-dimensional array.
+The rank of the array must be the same as the number of indices.
+
+If the selection suffix is used with an array or a sequence,
+then each index expression can have any integer- or bit-vector-based
+type
+(this is one situation in which Dafny implements implicit
+conversion, as if an `as int` were appended to the index expression).
+
+### 9.34.7. Argument List Suffix ([grammar](#g-argument-list-suffix)) {#sec-argument-list-suffix}
+
+Examples:
+<!-- %no-check -->
+```dafny
+()
+(a)
+(a, b)
+```
+An argument list suffix is a parenthesized list of expressions that
+are the arguments to pass to a method or function that is being
+called. Applying such a suffix causes the method or function
+to be called and the result is the result of the call.
+
+Note that method calls may only appear in [right-hand-side](#sec-rhs-expression)
+locations, whereas function calls may appear in expressions and specifications;
+this distinction can be made only during name and type resolution, not by the
+parser.
+
+## 9.35. Expression Lists ([grammar](#g-expression-list)) {#sec-expression-list}
+
+Examples:
+<!-- %no-check -->
+```dafny
+                // empty list
+a
+a, b
+```
+
+An expression list is a comma-separated sequence of expressions, used, for example,
+as actual araguments in a method or function call or in parallel assignment.
+
+## 9.36. Parameter Bindings ([grammar](#g-parameter-bindings)) {#sec-parameter-bindings}
+
+Examples: 
+<!-- %no-check -->
+```dafny
+a
+a, b
+a, optimize := b
+```
+
+Method calls, object-allocation calls (`new`), function calls, and
+datatype constructors can be called with both positional arguments
+and named arguments.
+
+Formal parameters have three ways to indicate how they are to be passed in:
+- nameonly: the only way to give a specific argument value is to name the parameter
+- positional only: these are nameless parameters (which are allowed only for datatype constructor parameters)
+- either positional or by name: this is the most common parameter
+
+A parameter is either required or optional:
+- required: a caller has to supply an argument
+- optional: the parameter has a default value that is used if a caller omits passing a specific argument
+
+The syntax for giving a positional-only (i.e., nameless) parameter does not allow a default-value expression, so a positional-only parameter is always required.
+
+At a call site, positional arguments are not allowed to follow named arguments. Therefore, if `x` is a nameonly parameter, then there is no way to supply the parameters after `x` by position. 
+Thus, any parameter that follows `x` must either be passed by name or have a default value. 
+That is, if a later (in the formal parameter declaration) parameter does not have a default value, it is effectively nameonly. 
+
+Positional arguments must be given before any named arguments.
+Positional arguments are passed to the formals in the corresponding
+position. Named arguments are passed to the formal of the given
+name. Named arguments can be given out of order from how the corresponding
+formal parameters are declared. A formal declared with the modifier
+`nameonly` is not allowed to be passed positionally.
+The list of bindings for a call must
+provide exactly one value for every required parameter and at most one
+value for each optional parameter, and must never name
+non-existent formals. Any optional parameter that is not given a value
+takes on the default value declared in the callee for that optional parameter.
+
+## 9.37. Assigned Expressions {#sec-assigned-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+assigned(x)
+```
+
+For any variable, constant, out-parameter, or object field `x`,
+the expression `assigned(x)` evaluates to `true` in a state
+if `x` is definitely assigned in that state.
+
+See [Section 12.6](#sec-definite-assignment) for more details on definite assignment.
+
+## 9.38. Termination Ordering Expressions {#sec-termination-ordering-expressions}
+
+When proving that a loop or recursive callable terminates, Dafny
+automatically generates a proof obligation that the sequence of
+expressions listed in a `decreases` clause gets smaller (in the
+[lexicographic termination ordering](#sec-decreases-clause)) with each
+iteration or recursive call. Normally, this proof obligation is purely
+internal. However, it can be written as a Dafny expression using the
+`decreases to` operator.
+
+The Boolean expression `(a, ..., b decreases to a', ..., b')` encodes
+this ordering. (The parentheses can be omitted if there is exactly 1 left-hand side
+and exactly 1 right-hand side.) For example, the following assertions are valid:
+<!-- %check-verify -->
+```dafny
+method M(x: int, y: int) {
+  assert 1 decreases to 0;
+  assert (true, false decreases to false, true);
+  assert (x, y decreases to x - 1, y);
+}
+```
+
+Conversely, the following assertion is invalid:
+<!-- %check-verify Expressions.5.expect -->
+```dafny
+method M(x: int, y: int) {
+  assert x decreases to x + 1;
+}
+```
+
+The `decreases to` operator is strict, that is, it means "strictly greater than".
+The `nonincreases to` operator is the non-strict ("greater than or equal") version of it.
+
+## 9.39. Compile-Time Constants {#sec-compile-time-constants}
+
+In certain situations in Dafny it is helpful to know what the value of a
+constant is during program analysis, before verification or execution takes
+place. For example, a compiler can choose an optimized representation of a
+`newtype` that is a subset of `int` if it knows the range of possible values
+of the subset type: if the range is within 0 to less than 256, then an
+unsigned 8-bit representation can be used.
+
+To continue this example, suppose a new type is defined as
+<!-- %check-resolve -->
+```dafny
+const MAX := 47
+newtype mytype = x | 0 <= x < MAX*4
+```
+In this case, we would prefer that Dafny recognize that `MAX*4` is
+known to be constant with a value of `188`. The kinds of expressions
+for which such an optimization is possible are called
+_compile-time constants_. Note that the representation of `mytype` makes
+no difference semantically, but can affect how compiled code is represented at run time.
+In addition, though, using a symbolic constant (which may
+well be used elsewhere as well) improves the self-documentation of the code.
+
+In Dafny, the following expressions are compile-time constants[^CTC], recursively
+(that is, the arguments of any operation must themselves be compile-time constants):
+
+- int, bit-vector, real, boolean, char and string literals
+- int operations: `+ - * / %` and unary `-` and comparisons `< <= > >= == !=`
+- real operations: `+ - *` and unary `-` and comparisons `< <= > >= == !=`
+- bool operations: `&& || ==> <== <==> == !=` and unary `!`
+- bit-vector operations: `+ - * / % << >> & | ^` and unary `! -` and comparisons `< <= > >= == !=`
+- char operations: `< <= > >= == !=`
+- string operations: length: `|...|`, concatenation: `+`, comparisons `< <= == !=`, indexing `[]`
+- conversions between: `int` `real` `char` bit-vector
+- newtype operations: newtype arguments, but not newtype results
+- symbolic values that are declared `const` and have an explicit initialization value that is a compile-time constant
+- conditional (if-then-else) expressions
+- parenthesized expressions
+
+[^CTC]: This set of operations that are constant-folded may be enlarged in future versions of `dafny`.
+
+## 9.40. List of specification expressions {#sec-list-of-specification-expressions}
+
+The following is a list of expressions that can only appear in specification contexts or in ghost blocks.
+
+* [Fresh expressions](#sec-fresh-expression)
+* [Allocated expressions](#sec-allocated-expression)
+* [Unchanged expressions](#sec-unchanged-expression)
+* [Old expressions](#sec-old-expression)
+- [Assigned expressions](#sec-assigned-expression)
+* [Assert and calc expressions](#sec-statement-in-an-expression)
+* [Hash Calls](#sec-hash-call)
+* [Termination ordering expression](#sec-termination-ordering-expressions)
diff --git a/v4.10.0/DafnyRef/Features.md b/v4.10.0/DafnyRef/Features.md
new file mode 100644
index 0000000..c09e18d
--- /dev/null
+++ b/v4.10.0/DafnyRef/Features.md
@@ -0,0 +1,66 @@
+| Feature | C# | JavaScript | Go | Java | Python | C++ | Dafny Library (.doo) |
+|-|-|-|-|-|-|-|-|
+| [Unbounded integers](#sec-numeric-types) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Real numbers](#sec-numeric-types) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Ordinals](#sec-ordinals) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Function values](#sec-arrow-subset-types) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Iterators](#sec-iterator-types) |  X  |  X  |  X  |  |  X  |  |  X  |
+| [Collections with trait element types](#sec-collection-types) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [External module names with only underscores](#sec-extern-decls) |  X  |  X  |  |  X  |  X  |  X  |  X  |
+| [Co-inductive datatypes](#sec-coinductive-datatypes) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Multisets](#sec-multisets) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Runtime type descriptors](#) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Multi-dimensional arrays](#sec-multi-dimensional-arrays) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Map comprehensions](#sec-map-comprehension-expression) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Traits](#sec-trait-types) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Let-such-that expressions](#sec-let-expression) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Non-native numeric newtypes](#sec-newtypes) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Method synthesis](#sec-synthesize-attr) |  X  |  |  |  |  |  |  X  |
+| [External classes](#sec-extern-decls) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Instantiating the `object` type](#sec-object-type) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [`forall` statements that cannot be sequentialized](#sec-forall-statement)[^compiler-feature-forall-note] |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Taking an array's length](#sec-array-type) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [`m.Items` when `m` is a map](#sec-maps) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [The /runAllTests option](#sec-test-attribute) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Integer range constraints in quantifiers (e.g. `a <= x <= b`)](#sec-quantifier-domains) |  X  |  X  |  X  |  X  |  X  |  X  |  X  |
+| [Exact value constraints in quantifiers (`x == C`)](#sec-quantifier-domains) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Sequence displays of characters](#sec-sequence-displays)[^compiler-sequence-display-of-characters-note] |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Type test expressions (`x is T`)](#sec-as-is-expression) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Type test expressions on subset types](#sec-as-is-expression) |  |  |  |  |  |  |  X  |
+| [Quantifiers](#sec-quantifier-expression) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Bitvector RotateLeft/RotateRight functions](#sec-bit-vector-types) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [`for` loops](#sec-for-statement) |  X  |  X  |  X  |  X  |  X  |  X  |  X  |
+| [`continue` statements](#sec-break-continue-statement) |  X  |  X  |  X  |  X  |  X  |  X  |  X  |
+| [Assign-such-that statements with potentially infinite bounds](#sec-update-and-call-statement)[^compiler-infinite-assign-such-that-note] |  X  |  X  |  X  |  X  |  X  |  X  |  X  |
+| [Sequence update expressions](#sec-other-sequence-expressions) |  X  |  X  |  X  |  X  |  X  |  X  |  X  |
+| [Sequence constructions with non-lambda initializers](#sec-sequence-displays)[^compiler-sequence-display-nolambda-note] |  X  |  X  |  X  |  X  |  X  |  X  |  X  |
+| [Externally-implemented constructors](#sec-extern-decls) |  X  |  |  |  X  |  X  |  X  |  X  |
+| [Auto-initialization of tuple variables](#sec-tuple-types) |  X  |  X  |  X  |  X  |  X  |  X  |  X  |
+| [Subtype constraints in quantifiers](#sec-quantifier-expression) |  X  |  X  |  X  |  X  |  X  |  X  |  X  |
+| [Tuples with more than 20 arguments](##sec-compilation-built-ins) |  |  X  |  X  |  |  X  |  X  |  X  |
+| [Arrays with more than 16 dimensions](##sec-compilation-built-ins) |  |  X  |  X  |  |  X  |  X  |  X  |
+| [Arrow types with more than 16 arguments](##sec-compilation-built-ins) |  |  X  |  X  |  |  X  |  X  |  X  |
+| [Unicode chars](##sec-characters) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Converting values to strings](#sec-print-statement) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Legacy CLI without commands](#sec-dafny-commands) |  X  |  X  |  X  |  X  |  X  |  X  |  |
+| [Separate compilation](#sec-compilation) |  X  |  |  X  |  X  |  X  |  X  |  X  |
+| [All built-in types in runtime library](#sec-compilation-built-ins) |  X  |  X  |  X  |  X  |  X  |  |  X  |
+| [Execution coverage report](#sec-dafny-test) |  X  |  |  |  |  |  |  |
+
+[^compiler-feature-forall-note]: 'Sequentializing' a `forall` statement refers to compiling it directly to a series of nested loops
+    with the statement's body directly inside. The alternative, default compilation strategy
+    is to calculate the quantified variable bindings separately as a collection of tuples,
+    and then execute the statement's body for each tuple.
+    Not all `forall` statements can be sequentialized.
+
+[^compiler-sequence-display-of-characters-note]: This refers to an expression such as `['H', 'e', 'l', 'l', 'o']`, as opposed to a string literal such as `"Hello"`.
+
+[^compiler-infinite-assign-such-that-note]: This refers to assign-such-that statements with multiple variables,
+    and where at least one variable has potentially infinite bounds.
+    For example, the implementation of the statement `var x: nat, y: nat :| 0 < x && 0 < y && x*x == y*y*y + 1;`
+    needs to avoid the naive approach of iterating all possible values of `x` and `y` in a nested loop.
+
+[^compiler-sequence-display-nolambda-note]: Sequence construction expressions often use a direct lambda expression, as in `seq(10, x => x * x)`,
+    but they can also be used with arbitrary function values, as in `seq(10, squareFn)`.
+
+
diff --git a/v4.10.0/DafnyRef/Grammar.1.expect b/v4.10.0/DafnyRef/Grammar.1.expect
new file mode 100644
index 0000000..db0b148
--- /dev/null
+++ b/v4.10.0/DafnyRef/Grammar.1.expect
@@ -0,0 +1,4 @@
+text.dfy(3,11): Error: missing semicolon at end of statement
+text.dfy(3,16): Error: missing semicolon at end of statement
+text.dfy(5,2): Error: rbrace expected
+3 parse errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Grammar.2.expect b/v4.10.0/DafnyRef/Grammar.2.expect
new file mode 100644
index 0000000..72d1397
--- /dev/null
+++ b/v4.10.0/DafnyRef/Grammar.2.expect
@@ -0,0 +1,2 @@
+text.dfy(3,27): Error: invalid NameSegment
+1 parse errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Grammar.md b/v4.10.0/DafnyRef/Grammar.md
new file mode 100644
index 0000000..127ab70
--- /dev/null
+++ b/v4.10.0/DafnyRef/Grammar.md
@@ -0,0 +1,514 @@
+# 2. Lexical and Low Level Grammar {#sec-lexical-grammar}
+
+As with most languages, Dafny syntax is defined in two levels. First the stream
+of input characters is broken up into _tokens_. Then these tokens are parsed
+using the Dafny grammar. 
+
+The Dafny grammar is designed as an _attributed grammar_, which is a 
+conventional BNF-style set of productions, but in which the productions can
+have arguments. The arguments control some alternatives within
+the productions, such as whether an alternative is allowed or not in a specific context.
+These arguments allow for a more compact and understandable grammar.
+
+The precise, technical details of the grammar are presented together in [Section 17](#sec-grammar-details).
+The expository parts of this manual present the language structure less formally.
+Throughout this document there are embedded hyperlinks to relevant grammar sections, 
+marked as [grammar](#sec-grammar-details).
+
+## 2.1. Dafny Input {#sec-unicode}
+
+Dafny source code files are readable text encoded in UTF-8.
+All program text other than the contents of comments, character, string and verbatim string literals
+consists of printable and white-space ASCII characters,
+that is, ASCII characters in the range `!` to `~`, plus space, tab, 
+carriage return and newline (ASCII 9, 10, 13, 32) characters.
+(In some past versions of Dafny, non-ASCII, unicode representations of some mathematical symbols were
+permitted in Dafny source text; these are no longer recognized.)
+
+String and character literals and comments may contain any unicode character,
+either directly or as an escape sequence.
+
+## 2.2. Tokens and whitespace {#sec-token-types}
+The characters used in a Dafny program fall into four groups:
+
+* White space characters: space, tab, carriage return and newline
+* alphanumerics: letters, digits, underscore (`_`), apostrophe (`'`), and question mark (`?`)
+* punctuation: ``(){}[],.`;``
+* operator characters (the other printable characters)
+
+Except for string and character literals, each Dafny token consists of a 
+sequence of consecutive characters from just one of these
+groups, excluding white-space. White-space is ignored except that it
+separates tokens and except in the bodies of character and string literals.
+
+A sequence of alphanumeric characters (with no preceding or following additional
+alphanumeric characters) is a _single_ token. This is true even if the token
+is syntactically or semantically invalid and the sequence could be separated into
+more than one valid token. For example, `assert56` is one identifier token,
+not a keyword `assert` followed by a number; `ifb!=0` begins with the token
+`ifb` and not with the keyword `if` and token `b`; `0xFFFFZZ` is an illegal
+token, not a valid hex number `0xFFFF` followed by an identifier `ZZ`.
+White-space must be used to separate two such tokens in a program.
+
+Somewhat differently, operator tokens need not be separated.
+Only specific sequences of operator characters are recognized and these
+are somewhat context-sensitive. For example, in `seq<set<int>>`, the grammar
+knows that `>>` is two individual `>` tokens terminating the nested
+type parameter lists; the right shift operator `>>` would never be valid here. Similarly, the
+sequence `==>` is always one token; even if it were invalid in its context,
+separating it into `==` and `>` would always still be invalid.
+
+In summary, except for required white space between alphanumeric tokens,
+adding or removing white space between tokens can never result in changing the meaning of a Dafny program.
+For most of this document, we consider Dafny programs as sequences of tokens.
+
+## 2.3. Character Classes {#sec-character-classes}
+
+This section defines character classes used later in the token definitions.
+In this section 
+
+* a backslash is used to start an escape sequence (so for example
+`'\n'` denotes the single linefeed character)
+* double quotes
+enclose the set of characters constituting a character class
+* enclosing single
+quotes are used when there is just one character in the class
+(perhaps expressed with a `\` escape character)
+* `+` indicates
+the union of two character classes
+* `-` is the set-difference between the
+two classes
+* `ANY` designates all [unicode characters](#sec-unicode).
+
+ name              | description
+-------------------|---------------------------
+letter             | ASCII upper or lower case letter; no unicode characters
+digit              | base-ten digit ("0123456789")
+posDigit           | digits, excluding 0 ("123456789")
+posDigitFrom2      | digits excluding 0 and 1 ("23456789")
+hexdigit           | a normal hex digit ("0123456789abcdefABCDEF")
+special            | `?_"
+cr                 | carriage return character (ASCII 10)
+lf                 | line feed character (ASCII 13)
+tab                | tab character (ASCII 9)
+space              | space character (ASCII 32)
+                   |
+nondigitIdChar     | characters allowed in an identifier, except digits (letter + special)
+idchar             | characters allowed in an identifier (nondigitIdChar + digits)
+nonidchar          | characters not in identifiers (ANY - idchar)
+charChar           | characters allowed in a character constant (ANY - '\'' - '\\' - cr - lf)
+stringChar         | characters allowed in a string constant (ANY - '"' - '\\' - cr - lf)
+verbatimStringChar | characters allowed in a verbatim string constant (ANY - '"')
+
+
+
+
+The _special_ characters are the characters in addition to alphanumeric characters
+that are allowed to appear in a Dafny identifier. These are
+
+* `'` because mathematicians like to put primes on identifiers and some ML
+  programmers like to start names of type parameters with a `'`,
+* `_` because computer scientists expect to be able to have underscores in identifiers, and
+* `?` because it is useful to have `?` at the end of names of predicates,
+  e.g., `Cons?`.
+
+A `nonidchar` is any character except those that can be used in an identifier.
+Here the scanner generator will interpret `ANY` as any unicode character.
+However, `nonidchar` is used only to mark the end of the `!in` token;
+in this context any character other than [whitespace or printable ASCII](#sec-unicode)
+will trigger a subsequent scanning or parsing error.
+
+
+
+## 2.4. Comments {#sec-comments}
+Comments are in two forms.
+
+* They may go from `/*` to `*/` .
+* They may go from `//` to the end of the line.
+
+A comment is identified as a token during the tokenization of 
+input text and is then discarded for the purpose of interpreting the 
+Dafny program. (It is retained to enable auto-formatting
+and provide accurate source locations for error messages.)
+Thus comments are token separators: `a/*x*/b` becomes two tokens
+`a` and `b`.
+
+Comments may be nested,
+but note that the nesting of multi-line comments is behavior that is different
+from most programming languages. In Dafny,
+<!-- %check-resolve -->
+```dafny
+method m() {
+  /* comment
+     /* nested comment
+     */
+     rest of outer comment
+  */
+}
+```
+is permitted; this feature is convenient for commenting out blocks of
+program statements that already have multi-line comments within them.
+Other than looking for end-of-comment delimiters,
+the contents of a comment are not interpreted.
+Comments may contain any characters.
+
+Note that the nesting is not fool-proof. In
+<!-- %check-resolve Grammar.1.expect -->
+```dafny
+method m() {
+  /* var i: int;
+     // */ line comment
+     var j: int;
+  */
+}
+```
+and
+<!-- %check-resolve Grammar.2.expect -->
+```dafny
+method m() {
+  /* var i: int;
+     var s: string := "a*/b";
+     var j: int;
+   */
+}
+```
+the `*/` inside the line comment and the string are seen as the end of the outer
+comment, leaving trailing text that will provoke parsing errors.
+
+## 2.5. Documentation comments {#sec-documentation-comments}
+
+Like many other languages, Dafny permits _documentation comments_ in a program file.
+Such comments contain natural language descriptions of program elements and may be used
+by IDEs and documentation generation tools to present information to users.
+
+In Dafny programs.
+* Documentation comments (a) either begin with `/**` or (b) begin with `//` or /*` in specific locations
+* Documentation comments may be associated with any declaration, including type definitions, export declarations, and datatype constructors.
+* They may be placed before the declaration, between the declaration and the definition or after the definition. The priority of these comments is the following:
+   * If there is a comment starting with `/**` right before the definition, it's the documentation comment.
+   * Otherwise, if one or more comments appear between a declaration and its definition — which is uncommon in other programming languages — they are treated as documentation comments, regardless of whether they start with //, /**, or /*. This is because there is no other plausible reason for a comment to be placed in this position.
+   * Otherwise, if there is a single comment starting with `//` or `/**` or `/*` at the end of the definition, it's the documentation comment. In this case, multi-line documentation comments must be starting with `/*`
+* The extraction of the doc-string from a documentation comment follows the following rules 
+  * On the first line, an optional `*` right after `/*` and an optional space are removed, if present
+  * On other lines, the indentation space (with possibly one star in it) is removed, as if the content was supposed to align with A if the comment started with `/** A` for example.
+* The documentation string is interpreted as plain text, but it is possible to provide a user-written
+  plugin that provides other interpretations. VSCode as used by Dafny interprets any markdown
+  syntax in the doc-string.
+
+Here are examples:
+<!-- %check-resolve -->
+```dafny
+/* Just a comment */
+const c0: int := 8 // docstring about c0
+// Just a comment
+
+/** docstring about c1 */
+newtype c1 = x : int | x > 8 // Just a comment
+
+/* Just a comment */
+function c2(): (r: int) // Docstring about c2
+  ensures r > 0
+{ 8 } // Just a comment
+
+// just a comment
+const c5 := 8
+```
+
+Datatype constructors may also have comments:
+<!-- %check-resolve -->
+```dafny
+datatype T // Docstring for T
+= | A(x: int,
+      y: int) // Docstring for A
+  | B()       /* Docstring for B */ |
+    C()       // Docstring for C
+
+/** Docstring for T0 */
+datatype T0 =
+  | /** Docstring for A */
+    A(x: int,
+      y: int)
+  | /** Docstring for B */
+    B()
+  | /** Docstring for C */
+    C()
+```
+
+As can `export` declarations:
+<!-- %check-resolve -->
+```dafny
+module M {
+  const A: int
+  const B: int
+  const C: int
+  const D: int
+
+  export
+    // This is the docstring of the eponymous export set intended for most clients
+    provides A, B, C
+
+  /** This is the docstring */
+  export AB provides A, B
+
+  export Friends extends AB
+    // This is the docstring of the export set is for clients who need to know more of the
+    // details of the module's definitions.
+    reveals A
+    provides D
+}
+```
+
+
+## 2.6. Tokens ([grammar](#sec-g-tokens)) {#sec-tokens}
+
+The Dafny tokens are defined in this section.
+
+### 2.6.1. Reserved Words {#sec-reserved-words}
+
+Dafny has a set of reserved words that may not
+be used as identifiers of user-defined entities.
+These are listed [here](#sec-g-tokens).
+
+In particular note that
+
+- `array`, `array2`, `array3`, etc. are reserved words, denoting array types of given rank.
+However,  `array1` and `array0` are ordinary identifiers.
+- `array?`, `array2?`, `array3?`, etc. are reserved words, 
+denoting possibly-null array types of given rank,
+but not `array1?` or `array0?`.
+- `bv0`, `bv1`, `bv2`, etc. are reserved words that denote the types of
+bitvectors of given length.
+The sequence of digits after 'array' or 'bv' may not have leading zeros: 
+for example, `bv02` is an ordinary identifier.
+
+### 2.6.2. Identifiers {#sec-identifiers}
+
+In general, an `ident` token (an identifier) is a sequence of ``idchar`` characters where
+the first character is a ``nondigitIdChar``. However tokens that fit this pattern
+are not identifiers if they look like a character literal
+or a reserved word (including array or bit-vector type tokens).
+Also, `ident` tokens that begin with an `_` are not permitted as user identifiers.
+
+### 2.6.3. Digits {#sec-digits}
+
+A `digits` token is a sequence of decimal digits (`digit`), possibly interspersed with 
+underscores for readability (but not beginning or ending with an underscore).
+Example: `1_234_567`.
+
+A `hexdigits` token denotes a hexadecimal constant, and is a sequence of hexadecimal digits (`hexdigit`)
+prefaced by `0x` and
+possibly interspersed with underscores for readability (but not beginning or ending with an underscore).
+Example: `0xffff_ffff`.
+
+A `decimaldigits` token is a decimal fraction constant, possibly interspersed with underscores for readability (but not beginning or ending with an underscore).
+It has digits both before and after a single period (`.`) character. There is no syntax for floating point numbers with exponents.
+Example: `123_456.789_123`.
+
+### 2.6.4. Escaped Character {#sec-escaped-characters}
+
+The `escapedChar` token is a multi-character sequence that denotes a non-printable or non-ASCII character.
+Such tokens begin with a backslash characcter (`\`) and denote
+ a single- or double-quote character, backslash,
+null, new line, carriage return, tab, or a
+Unicode character with given hexadecimal representation.
+Which Unicode escape form is allowed depends on the value of the `--unicode-char` option.
+
+If `--unicode-char:false` is stipulated,
+`\uXXXX` escapes can be used to specify any UTF-16 code unit.
+
+If `--unicode-char:true` is stipulated,
+`\U{X..X}` escapes can be used to specify any Unicode scalar value.
+There must be at least one hex digit in between the braces, and at most six.
+Surrogate code points are not allowed.
+The hex digits may be interspersed with underscores for readability 
+(but not beginning or ending with an underscore), as in `\U{1_F680}`.
+The braces are part of the required character sequence.
+
+Note that although Unicode
+letters are not allowed in Dafny identifiers, Dafny does support [Unicode
+in its character, string, and verbatim strings constants and in its comments](#sec-unicode).
+
+### 2.6.5. Character Constant Token {#sec-character-constant-token}
+
+The `charToken` token denotes a character constant.
+It is either a `charChar` or an `escapedChar` enclosed in single quotes.
+
+### 2.6.6. String Constant Token {#sec-string-constant-token}
+
+A `stringToken` denotes a string constant.
+It consists of a sequence of `stringChar` and `escapedChar` characters enclosed in 
+double quotes.
+
+A `verbatimStringToken` token also denotes a string constant.
+It is a sequence of any `verbatimStringChar` characters (which includes newline characters),
+enclosed between `@"` and `"`, except that two
+successive double quotes represent one quote character inside
+the string. This is the mechanism for escaping a double quote character,
+which is the only character needing escaping in a verbatim string.
+Within a verbatim string constant, a backslash character represents itself 
+and is not the first character of an `escapedChar`.
+
+### 2.6.7. Ellipsis {#sec-ellipsis}
+
+The `ellipsisToken` is the character sequence `...` and is typically used to designate something missing that will
+later be inserted through refinement or is already present in a parent declaration.
+
+## 2.7. Low Level Grammar Productions {#sec-grammar}
+
+### 2.7.1. Identifier Variations {#sec-identifier-variations}
+
+#### 2.7.1.1. Identifier
+
+A basic ordinary identifier is just an `ident` token.
+
+It may be followed by a sequence of suffixes to denote compound entities.
+Each suffix is a dot (`.`) and another token, which may be
+
+- another `ident` token
+- a `digits` token
+- the `requires` reserved word
+- the `reads` reserved word
+
+Note that
+
+* Digits can be used to name fields of classes and destructors of
+  datatypes. For example, the built-in tuple datatypes have destructors
+  named 0, 1, 2, etc. Note that as a field or destructor name, a digit sequence
+  is treated as a string, not a number: internal
+  underscores matter, so `10` is different from `1_0` and from `010`.
+* `m.requires` is used to denote the [precondition](#sec-requires-clause) for method `m`.
+* `m.reads` is used to denote the things that method `m` may [read](#sec-reads-clause).
+
+#### 2.7.1.2. No-underscore-identifier
+
+A `NoUSIdent` is an identifier except that identifiers with a **leading**
+underscore are not allowed. The names of user-defined entities are
+required to be ``NoUSIdent``s or, in some contexts, a ``digits``.
+ We introduce more mnemonic names
+for these below (e.g. ``ClassName``).
+
+A no-underscore-identifier is required for the following:
+
+- module name
+- class or trait name
+- datatype name
+- newtype name
+- synonym (and subset) type name
+- iterator name
+- type variable name
+- attribute name
+
+A variation, a no-underscore-identifier or a `digits`, is allowed for
+
+- datatype member name
+- method or function or constructor name
+- label name
+- export id
+- suffix that is a typename or constructor 
+
+All _user-declared_ names do not start with underscores, but there are
+internally generated names that a user program might _use_ that begin
+with an underscore or are just an underscore.
+
+#### 2.7.1.3. Wild identifier {#sec-wild-identifier}
+
+A wild identifier is a no-underscore-identifier except that the singleton
+`_` is allowed. The `_` is replaced conceptually by a unique
+identifier distinct from all other identifiers in the program.
+A `_` is used when an identifier is needed, but its content is discarded.
+Such identifiers are not used in expressions.
+
+Wild identifiers may be used in these contexts:
+
+- formal parameters of a lambda expression
+- the local formal parameter of a quantifier
+- the local formal parameter of a subset type or newtype declaration
+- a variable declaration
+- a case pattern formal parameter
+- binding guard parameter
+- for loop parameter
+- LHS of update statements 
+
+### 2.7.2. Qualified Names
+
+A qualified name starts with the name of a top-level entity and then is followed by
+zero or more ``DotSuffix``s which denote a component. Examples:
+
+* `Module.MyType1`
+* `MyTuple.1`
+* `MyMethod.requires`
+* `A.B.C.D`
+
+The identifiers and dots are separate tokens and so may optionally be
+separated by whitespace.
+
+### 2.7.3. Identifier-Type Combinations
+
+Identifiers are typically declared in combination with a type, as in
+<!-- %no-check -->
+```dafny
+var i: int
+```
+
+However, Dafny infers types in many circumstances, and in those, the type can be omitted. The type is required
+for field declarations and formal parameters of methods, functions and constructors (because there is no initializer).
+It may be omitted (if the type can be inferred) for local variable declarations, pattern matching variables, 
+quantifiers, 
+
+Similarly, there are circumstances in which the identifier name is not needed, because it is not used.
+This is allowed in defining algebraic datatypes.
+
+In some other situations a wild identifier can be used, as described [above](#sec-wild-identifier).
+
+### 2.7.4. Quantifier Domains ([grammar](#g-quantifier-domain)) {#sec-quantifier-domains}
+
+Several Dafny constructs bind one or more variables to a range of possible values.
+For example, the quantifier `forall x: nat | x <= 5 :: x * x <= 25` has the meaning
+"for all integers x between 0 and 5 inclusive, the square of x is at most 25".
+Similarly, the set comprehension `set x: nat | x <= 5 :: f(x)` can be read as
+"the set containing the result of applying f to x, for each integer x from 0 to 5 inclusive".
+The common syntax that specifies the bound variables and what values they take on
+is known as the *quantifier domain*; in the previous examples this is `x: nat | x <= 5`, 
+which binds the variable `x` to the values `0`, `1`, `2`, `3`, `4`, and `5`.
+
+Here are some more examples.
+
+- `x: byte` (where a value of type `byte` is an int-based number `x` in the range `0 <= x < 256`)
+- `x: nat | x <= 5`
+- `x <- integerSet`
+- `x: nat <- integerSet`
+- `x: nat <- integerSet | x % 2 == 0`
+- `x: nat, y: nat | x < 2 && y < 2`
+- `x: nat | x < 2, y: nat | y < x`
+- `i | 0 <= i < |s|, y <- s[i] | i < y`
+
+A quantifier domain declares one or more *quantified variables*, separated by commas.
+Each variable declaration can be nothing more than a variable name, but it 
+may also include any of three optional elements:
+
+1. The optional syntax `: T` declares the type of the quantified variable.
+   If not provided, it will be inferred from context.
+
+2. The optional syntax `<- C` attaches a collection expression `C` as a *quantified variable domain*.
+   Here a collection is any value of a type that supports the `in` operator, namely sets, multisets, maps, and sequences.
+   The domain restricts the bindings to the elements of the collection: `x <- C` implies `x in C`.
+   The example above can also be expressed as `var c := [0, 1, 2, 3, 4, 5]; forall x <- c :: x * x <= 25`.
+
+3. The optional syntax `| E` attaches a boolean expression `E` as a *quantified variable range*,
+   which restricts the bindings to values that satisfy this expression.
+   In the example above `x <= 5` is the range attached to the `x` variable declaration.
+
+Note that a variable's domain expression may reference any variable declared before it,
+and a variable's range expression may reference the attached variable (and usually does) and any variable declared before it.
+For example, in the quantifier domain `i | 0 <= i < |s|, y <- s[i] | i < y`, the expression `s[i]` is always [well-formed](#sec-assertion-batches)
+because the range attached to `i` ensures `i` is a valid index in the sequence `s`.
+
+Allowing per-variable ranges is not fully backwards compatible, and so it is not yet allowed by default;
+the `--quantifier-syntax:4` option needs to be provided to enable this feature (See [Section 13.9.5](#sec-controlling-language)).
+
+### 2.7.5. Numeric Literals ([grammar](#g-literal-expression)) {#sec-numeric-literals}
+
+Integer and bitvector literals may be expressed in either decimal or hexadecimal (`digits` or `hexdigits`).
+
+Real number literals are written as decimal fractions (`decimaldigits`).
+
diff --git a/v4.10.0/DafnyRef/GrammarDetails.md b/v4.10.0/DafnyRef/GrammarDetails.md
new file mode 100644
index 0000000..ce00966
--- /dev/null
+++ b/v4.10.0/DafnyRef/GrammarDetails.md
@@ -0,0 +1,1846 @@
+# 17. Dafny Grammar {#sec-grammar-details}
+
+The Dafny grammar has a traditional structure: a scanner tokenizes the textual input into a sequence of tokens; the parser consumes the tokens
+to produce an AST. The AST is then passed on for name and type resolution and further processing.
+
+Dafny uses the Coco/R lexer and parser generator for its lexer and parser
+(<http://www.ssw.uni-linz.ac.at/Research/Projects/Coco>)[@Linz:Coco].
+See the [Coco/R Reference
+manual](http://www.ssw.uni-linz.ac.at/Research/Projects/Coco/Doc/UserManual.pdf)
+for details.
+The Dafny input file to Coco/R is the `Dafny.atg` file in the source tree.
+
+The grammar is an _attributed extended BNF_ grammar.
+The _attributed_ adjective indicates that the BNF productions are
+parameterized by boolean parameters that control variations of the 
+production rules, such as whether a particular alternative is permitted or
+not. Using such attributes allows combining non-terminals with quite
+similar production rules, making a simpler, more compact and more
+readable grammer.
+
+The grammar rules presented here replicate those in the source
+code, but omit semantic actions, error recovery markers, and
+conflict resolution syntax. Some uses of the attribute
+parameters are described informally.
+
+The names of character sets and tokens start with a lower case
+letter; the names of grammar non-terminals start with
+an upper-case letter.
+
+
+
+
+## 17.1. Dafny Syntax
+
+This section gives the definitions of Dafny tokens.
+
+### 17.1.1. Classes of characters
+
+These definitions define some names as representing subsets of the set of characters. Here,
+
+* double quotes enclose the set of characters constituting the class, 
+* single quotes enclose a single character (perhaps an escaped representation using `\`), 
+* the binary `+` indicates set union, 
+* binary `-` indicates set difference, and 
+* `ANY` indicates the set of all (unicode) characters.
+
+````grammar
+letter = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+
+digit = "0123456789"
+posDigit = "123456789"
+posDigitFrom2 = "23456789"
+
+hexdigit = "0123456789ABCDEFabcdef"
+
+special = "'_?"
+
+cr        = '\r'
+
+lf        = '\n'
+
+tab       = '\t'
+
+space     = ' '
+
+nondigitIdChar = letter + special
+
+idchar = nondigitIdChar + digit
+
+nonidchar = ANY - idchar
+
+charChar = ANY - '\'' - '\\' - cr - lf
+
+stringChar = ANY - '"' - '\\' - cr - lf
+
+verbatimStringChar = ANY - '"'
+````
+
+A `nonidchar` is any character except those that can be used in an identifier.
+Here the scanner generator will interpret `ANY` as any unicode character.
+However, `nonidchar` is used only to mark the end of the `!in` token;
+in this context any character other than [whitespace or printable ASCII](#sec-unicode)
+will trigger a subsequent scanning or parsing error.
+
+### 17.1.2. Definitions of tokens {#sec-g-tokens}
+
+These definitions use 
+
+* double-quotes to indicate a verbatim string (with no escaping of characters)
+* `'"'` to indicate a literal double-quote character
+* vertical bar to indicate alternatives
+* square brackets to indicate an optional part
+* curly braces to indicate 0-or-more repetitions
+* parentheses to indicate grouping
+* a `-` sign to indicate set difference: any character sequence matched by the left operand except character sequences matched by the right operand
+* a sequence of any of the above to indicate concatenation without whitespace
+
+````grammar
+reservedword =
+    "abstract" | "allocated" | "as" | "assert" | "assume" |
+    "bool" | "break" | "by" |
+    "calc" | "case" | "char" | "class" | "codatatype" |
+    "const" | "constructor" | "continue" |
+    "datatype" | "decreases" |
+    "else" | "ensures" | "exists" | "expect" | "export" | "extends" |
+    "false" | "for" | "forall" | "fresh" | "function" | "ghost" |
+    "if" | "imap" | "import" | "in" | "include" |
+    "int" | "invariant" | "is" | "iset" | "iterator" |
+    "label" | "lemma" | "map" | "match" | "method" |
+    "modifies" | "modify" | "module" | "multiset" |
+    "nameonly" | "nat" | "new" | "newtype" | "null" |
+    "object" | "object?" | "old" | "opaque" | "opened" | "ORDINAL"
+    "predicate" | "print" | "provides" |
+    "reads" | "real" | "refines" | "requires" | "return" |
+    "returns" | "reveal" | "reveals" |
+    "seq" | "set" | "static" | "string" |
+    "then" | "this" | "trait" | "true" | "twostate" | "type" |
+    "unchanged" | "var" | "while" | "witness" |
+    "yield" | "yields" |
+    arrayToken | bvToken
+
+arrayToken = "array" [ posDigitFrom2 | posDigit digit { digit }]["?"]
+
+bvToken = "bv" ( 0 | posDigit { digit } )
+
+ident = nondigitIdChar { idchar } - charToken - reservedword
+
+digits = digit {["_"] digit}
+
+hexdigits = "0x" hexdigit {["_"] hexdigit}
+
+decimaldigits = digit {["_"] digit} '.' digit {["_"] digit}
+
+escapedChar =
+    ( "\'" | "\"" | "\\" | "\0" | "\n" | "\r" | "\t"
+      | "\u" hexdigit hexdigit hexdigit hexdigit
+      | "\U{" hexdigit { hexdigit } "}"
+    )
+
+charToken = "'" ( charChar | escapedChar ) "'"
+
+stringToken =
+    '"' { stringChar | escapedChar }  '"'
+  | "@" '"' { verbatimStringChar | '"' '"' } '"'
+
+ellipsis = "..."
+````
+
+There are a few words that have a special meaning in certain contexts, but are not 
+reserved words and can be used as identifiers outside of those contexts:
+
+* `least` and `greatest` are recognized as adjectives to the keyword `predicate` (cf. [Section 12.4](#sec-extreme)).
+* `older` is a modifier for parameters of non-extreme predicates (cf. [Section 6.4.6](#sec-older-parameters)).
+
+The `\uXXXX` form of an `escapedChar` is only used when the option `--unicode-char=false` is set (which is the default for Dafny 3.x);
+the `\U{XXXXXX}` form of an `escapedChar` is only used when the option `--unicode-char=true` is set (which is the default for Dafny 4.x).
+
+## 17.2. Dafny Grammar productions
+
+The grammar productions are presented in the following Extended BNF syntax:
+
+* identifiers starting with a lower case letter denote
+terminal symbols (tokens) as defined in the [previous subsection](#sec-g-tokens)
+* identifiers starting with an upper case letter denote nonterminal
+symbols
+* strings (a sequence of characters enclosed by double quote characters)
+denote the sequence of enclosed characters
+* `=` separates the sides of a production, e.g. `A = a b c`
+* `|` separates alternatives, e.g. `a b | c | d e` means `a b` or `c` or `d e`
+* `(` `)` groups alternatives, e.g. `(a | b) c` means `a c` or `b c`
+* `[ ]` option, e.g. `[a] b` means `a b` or `b`
+* `{ }` iteration (0 or more times), e.g. `{a} b` means `b` or `a b` or `a a b` or ...
+* We allow `|` inside `[ ]` and `{ }`. So `[a | b]` is short for `[(a | b)]`
+  and `{a | b}` is short for `{(a | b)}`.
+* `//` in a line introduces a comment that extends to the end-of-the line, but does not terminate the production
+* The first production defines the name of the grammar, in this case `Dafny`.
+
+In addition to the Coco rules, for the sake of readability we have adopted
+these additional conventions.
+
+* We allow `-` to be used. `a - b` means it matches if it matches `a` but not `b`.
+* We omit the `.` that marks the end of a CoCo/R production.
+* we omit deprecated features.
+
+To aid in explaining the grammar we have added some additional productions
+that are not present in the original grammar. We name these with a trailing
+underscore. Inlining these where they are referenced will reconstruct the original grammar.
+
+<!-- A note on formatting the sections below: LaTex renders the 'discussion' link in line with the heading for level-4 and higher headings.
+     I've not found a sensible way around it (and it is not worth much trouble). -->
+
+### 17.2.1. Programs {#g-program}
+([discussion](#sec-program)) 
+
+````grammar
+Dafny = { IncludeDirective_ } { TopDecl(isTopLevel:true, isAbstract: false) } EOF
+````
+
+
+#### 17.2.1.1. Include directives {#g-include-directive}
+([discussion](#sec-include-directive))
+
+````grammar
+IncludeDirective_ = "include" stringToken
+````
+
+#### 17.2.1.2. Top-level declarations {#g-top-level-declaration}
+([discussion](#sec-top-level-declaration))
+
+````grammar
+TopDecl(isTopLevel, isAbstract) =
+  { DeclModifier }
+  ( SubModuleDecl(isTopLevel)
+  | ClassDecl
+  | DatatypeDecl
+  | NewtypeDecl
+  | SynonymTypeDecl  // includes abstract types
+  | IteratorDecl
+  | TraitDecl
+  | ClassMemberDecl(allowConstructors: false, isValueType: true, moduleLevelDecl: true)
+  )
+````
+
+#### 17.2.1.3. Declaration modifiers {#g-declaration-modifier}
+([discussion](#sec-declaration-modifier)) 
+
+````grammar
+DeclModifier = ( "abstract" | "ghost" | "static" | "opaque" )
+````
+
+### 17.2.2. Modules {#g-module}
+
+````grammar
+SubModuleDecl(isTopLevel) = ( ModuleDefinition | ModuleImport | ModuleExport )
+````
+
+Module export declarations are not permitted if `isTopLevel` is true.
+
+#### 17.2.2.1. Module Definitions {#g-module-definition}
+([discussion](#sec-module-definition)) 
+
+````grammar
+ModuleDefinition(isTopLevel) = 
+  "module" { Attribute } ModuleQualifiedName
+  [ "refines" ModuleQualifiedName ]
+  "{" { TopDecl(isTopLevel:false, isAbstract) } "}"
+````
+
+The `isAbstract` argument is true if the preceding `DeclModifiers` include "abstract".
+
+#### 17.2.2.2. Module Imports {#g-module-import}
+([discussion](#sec-importing-modules)) 
+
+````grammar
+ModuleImport =
+  "import"
+  [ "opened" ]
+  ( QualifiedModuleExport
+  | ModuleName "=" QualifiedModuleExport
+  | ModuleName ":" QualifiedModuleExport
+  )
+
+QualifiedModuleExport =
+    ModuleQualifiedName [ "`" ModuleExportSuffix ]
+
+ModuleExportSuffix =
+  ( ExportId
+  | "{" ExportId { "," ExportId } "}"
+  )
+````
+
+#### 17.2.2.3. Module Export Definitions {#g-module-export}
+([discussion](#sec-export-sets)) 
+
+````grammar
+ModuleExport =
+  "export"
+  [ ExportId ]
+  [ "..." ]
+  {
+    "extends"  ExportId { "," ExportId }
+  | "provides" ( ExportSignature { "," ExportSignature } | "*" )
+  | "reveals"  ( ExportSignature { "," ExportSignature } | "*" )
+  }
+
+ExportSignature = TypeNameOrCtorSuffix [ "." TypeNameOrCtorSuffix ]
+````
+
+### 17.2.3. Types {#g-type}
+([discussion](#sec-types)) 
+
+````grammar
+Type = DomainType_ | ArrowType_
+
+DomainType_ =
+  ( BoolType_ | CharType_ | IntType_ | RealType_
+  | OrdinalType_ | BitVectorType_ | ObjectType_
+  | FiniteSetType_ | InfiniteSetType_
+  | MultisetType_
+  | FiniteMapType_ | InfiniteMapType_
+  | SequenceType_
+  | NatType_
+  | StringType_
+  | ArrayType_
+  | TupleType
+  | NamedType
+  )
+
+NamedType = NameSegmentForTypeName { "." NameSegmentForTypeName }
+
+NameSegmentForTypeName = Ident [ GenericInstantiation ]
+````
+
+
+#### 17.2.3.1. Basic types {#g-basic-type}
+([discussion](#sec-basic-type)) 
+
+````grammar
+BoolType_ = "bool"
+IntType_ = "int"
+RealType_ = "real"
+BitVectorType_ = bvToken
+OrdinalType_ = "ORDINAL"
+CharType_ = "char"
+````
+
+
+#### 17.2.3.2. Generic instantiation {#g-generic-instantiation}
+([discussion](#sec-generic-instantiation)) 
+
+````grammar
+GenericInstantiation = "<" Type { "," Type } ">"
+````
+
+#### 17.2.3.3. Type parameter {#g-type-parameter}
+([discussion](#sec-type-parameters)) 
+
+````grammar
+GenericParameters(allowVariance) =
+  "<" [ Variance ] TypeVariableName { TypeParameterCharacteristics }
+  { "," [ Variance ] TypeVariableName { TypeParameterCharacteristics } }
+  ">"
+
+// The optional Variance indicator is permitted only if allowVariance is true
+Variance = ( "*" | "+" | "!" | "-" )
+
+TypeParameterCharacteristics = "(" TPCharOption { "," TPCharOption } ")"
+
+TPCharOption = ( "==" | "0" | "00" | "!" "new" )
+````
+
+#### 17.2.3.4. Collection types {#g-collection-type}
+([discussion](#sec-collection-types)) 
+
+````grammar
+FiniteSetType_ = "set" [ GenericInstantiation ]
+
+InfiniteSetType_ = "iset" [ GenericInstantiation ]
+
+MultisetType_ = "multiset" [ GenericInstantiation ]
+
+SequenceType_ = "seq" [ GenericInstantiation ]
+
+StringType_ = "string"
+
+FiniteMapType_ = "map" [ GenericInstantiation ]
+
+InfiniteMapType_ = "imap" [ GenericInstantiation ]
+````
+
+#### 17.2.3.5. Type definitions {#g-type-definition}
+([discussion](#sec-type-definition)) 
+
+````grammar
+SynonymTypeDecl =
+  SynonymTypeDecl_ | OpaqueTypeDecl_ | SubsetTypeDecl_
+
+SynonymTypeName = NoUSIdent
+
+SynonymTypeDecl_ =
+  "type" { Attribute } SynonymTypeName
+   { TypeParameterCharacteristics }
+   [ GenericParameters ]
+   "=" Type
+
+OpaqueTypeDecl_ =
+  "type" { Attribute } SynonymTypeName
+   { TypeParameterCharacteristics }
+   [ GenericParameters ]
+   [ TypeMembers ]
+
+TypeMembers =
+  "{"
+  {
+    { DeclModifier }
+    ClassMemberDecl(allowConstructors: false,
+                    isValueType: true,
+                    moduleLevelDecl: false,
+                    isWithinAbstractModule: module.IsAbstract)
+  }
+  "}"
+
+SubsetTypeDecl_ =
+  "type"
+  { Attribute }
+  SynonymTypeName [ GenericParameters ]
+  "="
+  LocalIdentTypeOptional
+  "|"
+  Expression(allowLemma: false, allowLambda: true)
+  [ "ghost" "witness" Expression(allowLemma: false, allowLambda: true)
+  | "witness" Expression((allowLemma: false, allowLambda: true)
+  | "witness" "*"
+  ]
+
+NatType_ = "nat"
+
+NewtypeDecl = "newtype" { Attribute } NewtypeName "="
+  [ ellipsis ]
+  ( LocalIdentTypeOptional
+    "|"
+    Expression(allowLemma: false, allowLambda: true)
+    [ "ghost" "witness" Expression(allowLemma: false, allowLambda: true)
+    | "witness" Expression((allowLemma: false, allowLambda: true)
+    | "witness" "*"
+    ]
+  | Type
+  )
+  [ TypeMembers ]
+````
+
+
+#### 17.2.3.6. Class type {#g-class-type}
+([discussion](#sec-class-types)) 
+
+````grammar
+ClassDecl = "class" { Attribute } ClassName [ GenericParameters ]
+  ["extends" Type {"," Type} | ellipsis ]
+  "{" { { DeclModifier }
+        ClassMemberDecl(modifiers,
+                        allowConstructors: true,
+                        isValueType: false,
+                        moduleLevelDecl: false) 
+      }
+  "}"
+
+ClassMemberDecl(modifiers, allowConstructors, isValueType, moduleLevelDecl) =
+  ( FieldDecl(isValueType) // allowed iff moduleLevelDecl is false
+  | ConstantFieldDecl(moduleLevelDecl)
+  | FunctionDecl(isWithinAbstractModule)
+  | MethodDecl(modifiers, allowConstructors)
+  )
+````
+
+
+#### 17.2.3.7. Trait types {#g-trait-type}
+([discussion](#sec-trait-types)) 
+
+````grammar
+TraitDecl =
+  "trait" { Attribute } ClassName [ GenericParameters ]
+  [ "extends" Type { "," Type } | ellipsis ]
+  "{"
+   { { DeclModifier } ClassMemberDecl(allowConstructors: true,
+                                      isValueType: false,
+                                      moduleLevelDecl: false,
+                                      isWithinAbstractModule: false) }
+  "}"
+````
+
+#### 17.2.3.8. Object type {#g-object-type}
+([discussion](#sec-object-type)) 
+
+````grammar
+ObjectType_ = "object" | "object?"
+````
+
+#### 17.2.3.9. Array types {#g-array-type}
+([discussion](#sec-array-type)) 
+
+````grammar
+ArrayType_ = arrayToken [ GenericInstantiation ]
+````
+
+#### 17.2.3.10. Iterator types {#g-iterator-type}
+([discussion](#sec-iterator-types)) 
+
+````grammar
+IteratorDecl = "iterator" { Attribute } IteratorName
+  ( [ GenericParameters ]
+    Formals(allowGhostKeyword: true, allowNewKeyword: false, 
+                                     allowOlderKeyword: false)
+    [ "yields" Formals(allowGhostKeyword: true, allowNewKeyword: false, 
+                                                allowOlderKeyword: false) ]
+  | ellipsis
+  )
+  IteratorSpec
+  [ BlockStmt ]
+````
+
+#### 17.2.3.11. Arrow types {#g-arrow-type}
+([discussion](#sec-arrow-types)) 
+
+````grammar
+ArrowType_ = ( DomainType_ "~>" Type
+             | DomainType_ "-->" Type
+             | DomainType_ "->" Type
+             )
+````
+
+#### 17.2.3.12. Algebraic datatypes {#g-datatype}
+([discussion](#sec-datatype)) 
+
+````grammar
+DatatypeDecl =
+  ( "datatype" | "codatatype" )
+  { Attribute }
+  DatatypeName [ GenericParameters ]
+  "=" 
+  [ ellipsis ]
+  [ "|" ] DatatypeMemberDecl
+  { "|" DatatypeMemberDecl }
+  [ TypeMembers ]
+
+DatatypeMemberDecl =
+  { Attribute } DatatypeMemberName [ FormalsOptionalIds ]
+````
+
+### 17.2.4. Type member declarations {#g-member-declaration}
+([discussion](#sec-member-declaration)) 
+
+#### 17.2.4.1. Fields {#g-field-declaration}
+([discussion](#sec-field-declaration)) 
+
+````grammar
+FieldDecl(isValueType) =
+  "var" { Attribute } FIdentType { "," FIdentType }
+````
+
+A `FieldDecl` is not permitted if `isValueType` is true.
+
+#### 17.2.4.2. Constant fields {#g-const-declaration}
+([discussion](#sec-constant-field-declaration)) 
+
+````grammar
+ConstantFieldDecl(moduleLevelDecl) =
+  "const" { Attribute } CIdentType [ ellipsis ]
+   [ ":=" Expression(allowLemma: false, allowLambda:true) ]
+````
+
+If `moduleLevelDecl` is true, then the `static` modifier is not permitted
+(the constant field is static implicitly).
+
+#### 17.2.4.3. Method declarations {#g-method-declaration}
+([discussion](#sec-method-declaration)) 
+
+````grammar
+MethodDecl(isGhost, allowConstructors, isWithinAbstractModule) =
+  MethodKeyword_ { Attribute } [ MethodFunctionName ]
+  ( MethodSignature_(isGhost, isExtreme: true iff this is a least
+                                   or greatest lemma declaration)
+  | ellipsis
+  )
+  MethodSpec(isConstructor: true iff this is a constructor declaration)
+  [ BlockStmt ]
+
+MethodKeyword_ = ( "method"
+                 | "constructor"
+                 | "lemma"
+                 | "twostate" "lemma"
+                 | "least" "lemma"
+                 | "greatest" "lemma"
+                 )
+
+
+MethodSignature_(isGhost, isExtreme) =
+  [ GenericParameters ]
+  [ KType ]    // permitted only if isExtreme == true
+  Formals(allowGhostKeyword: !isGhost, allowNewKeyword: isTwostateLemma, 
+          allowOlderKeyword: false, allowDefault: true)
+  [ "returns" Formals(allowGhostKeyword: !isGhost, allowNewKeyword: false, 
+                      allowOlderKeyword: false, allowDefault: false) ]
+
+KType = "[" ( "nat" | "ORDINAL" ) "]"
+
+Formals(allowGhostKeyword, allowNewKeyword, allowOlderKeyword, allowDefault) =
+  "(" [ { Attribute } GIdentType(allowGhostKeyword, allowNewKeyword, allowOlderKeyword,
+                   allowNameOnlyKeyword: true, allowDefault)
+        { "," { Attribute } GIdentType(allowGhostKeyword, allowNewKeyword, allowOlderKeyword,
+                         allowNameOnlyKeyword: true, allowDefault) }
+      ]
+  ")"
+````
+
+If `isWithinAbstractModule` is false, then the method must have
+a body for the program that contains the declaration to be compiled.
+
+The `KType` may be specified only for least and greatest lemmas.
+
+#### 17.2.4.4. Function declarations {#g-function-declaration}
+([discussion](#sec-function-declaration)) 
+
+````grammar
+FunctionDecl(isWithinAbstractModule) =
+  ( [ "twostate" ] "function" [ "method" ] { Attribute }
+    MethodFunctionName
+    FunctionSignatureOrEllipsis_(allowGhostKeyword:
+                                           ("method" present),
+                                 allowNewKeyword:
+                                           "twostate" present)
+  | "predicate" [ "method" ] { Attribute }
+    MethodFunctionName
+    PredicateSignatureOrEllipsis_(allowGhostKeyword:
+                                           ("method" present),
+                                  allowNewKeyword:
+                                           "twostate" present,
+                                  allowOlderKeyword: true)
+  | ( "least" | "greatest" ) "predicate" { Attribute }
+    MethodFunctionName
+    PredicateSignatureOrEllipsis_(allowGhostKeyword: false,
+                         allowNewKeyword: "twostate" present,
+                         allowOlderKeyword: false))
+  )
+  FunctionSpec
+  [ FunctionBody ]
+
+FunctionSignatureOrEllipsis_(allowGhostKeyword) =
+  FunctionSignature_(allowGhostKeyword) | ellipsis
+
+FunctionSignature_(allowGhostKeyword, allowNewKeyword) =
+  [ GenericParameters ]
+  Formals(allowGhostKeyword, allowNewKeyword, allowOlderKeyword: true, 
+          allowDefault: true)
+  ":"
+  ( Type
+  | "(" GIdentType(allowGhostKeyword: false,
+                   allowNewKeyword: false,
+                   allowOlderKeyword: false,
+                   allowNameOnlyKeyword: false,
+                   allowDefault: false)
+    ")"
+  )
+
+PredicateSignatureOrEllipsis_(allowGhostKeyword, allowNewKeyword, 
+                              allowOlderKeyword) =
+    PredicateSignature_(allowGhostKeyword, allowNewKeyword, allowOlderKeyword) 
+  | ellipsis
+
+PredicateSignature_(allowGhostKeyword, allowNewKeyword, allowOlderKeyword) =
+  [ GenericParameters ]
+  [ KType ]
+  Formals(allowGhostKeyword, allowNewKeyword, allowOlderKeyword, 
+          allowDefault: true)
+  [
+    ":"
+    ( Type
+    | "(" Ident ":" "bool" ")"
+    )
+  ]
+
+FunctionBody = "{" Expression(allowLemma: true, allowLambda: true)
+               "}" [ "by" "method" BlockStmt ]
+````
+
+### 17.2.5. Specifications
+
+#### 17.2.5.1. Method specifications {#g-method-specification}
+([discussion](#sec-method-specification)) 
+
+````grammar
+MethodSpec =
+  { ModifiesClause(allowLambda: false)
+  | RequiresClause(allowLabel: true)
+  | EnsuresClause(allowLambda: false)
+  | DecreasesClause(allowWildcard: true, allowLambda: false)
+  }
+````
+
+#### 17.2.5.2. Function specifications {#g-function-specification}
+([discussion](#sec-function-specification)) 
+
+````grammar
+FunctionSpec =
+  { RequiresClause(allowLabel: true)
+  | ReadsClause(allowLemma: false, allowLambda: false, allowWild: true)
+  | EnsuresClause(allowLambda: false)
+  | DecreasesClause(allowWildcard: false, allowLambda: false)
+  }
+````
+
+#### 17.2.5.3. Lambda function specifications {#g-lambda-specification}
+([discussion](#sec-lambda-specification)) 
+
+````grammar
+LambdaSpec =
+  { ReadsClause(allowLemma: true, allowLambda: false, allowWild: true)
+  | "requires" Expression(allowLemma: false, allowLambda: false)
+  }
+````
+
+#### 17.2.5.4. Iterator specifications {#g-iterator-specification}
+([discussion](#sec-iterator-specification)) 
+
+````grammar
+IteratorSpec =
+  { ReadsClause(allowLemma: false, allowLambda: false,
+                                  allowWild: false)
+  | ModifiesClause(allowLambda: false)
+  | [ "yield" ] RequiresClause(allowLabel: !isYield)
+  | [ "yield" ] EnsuresClause(allowLambda: false)
+  | DecreasesClause(allowWildcard: false, allowLambda: false)
+  }
+````
+
+#### 17.2.5.5. Loop specifications {#g-loop-specification}
+([discussion](#sec-loop-specification)) 
+
+````grammar
+LoopSpec =
+  { InvariantClause_
+  | DecreasesClause(allowWildcard: true, allowLambda: true)
+  | ModifiesClause(allowLambda: true)
+  }
+````
+
+#### 17.2.5.6. Requires clauses {#g-requires-clause}
+([discussion](#sec-requires-clause)) 
+
+````grammar
+RequiresClause(allowLabel) =
+  "requires" { Attribute }
+  [ LabelName ":" ]  // Label allowed only if allowLabel is true
+  Expression(allowLemma: false, allowLambda: false)
+````
+
+#### 17.2.5.7. Ensures clauses {#g-ensures-clause}
+([discussion](#sec-ensures-clause)) 
+
+````grammar
+EnsuresClause(allowLambda) =
+  "ensures" { Attribute } Expression(allowLemma: false, allowLambda)
+````
+
+#### 17.2.5.8. Decreases clauses {#g-decreases-clause}
+([discussion](#sec-decreases-clause)) 
+
+````grammar
+DecreasesClause(allowWildcard, allowLambda) =
+  "decreases" { Attribute } DecreasesList(allowWildcard, allowLambda)
+
+DecreasesList(allowWildcard, allowLambda) =
+  PossiblyWildExpression(allowLambda, allowWildcard)
+  { "," PossiblyWildExpression(allowLambda, allowWildcard) }
+
+PossiblyWildExpression(allowLambda, allowWild) =
+  ( "*"  // if allowWild is false, using '*' provokes an error
+  | Expression(allowLemma: false, allowLambda)
+  )
+````
+
+#### 17.2.5.9. Modifies clauses {#g-modifies-clause}
+([discussion](#sec-modifies-clause)) 
+
+````grammar
+ModifiesClause(allowLambda) =
+  "modifies" { Attribute }
+  FrameExpression(allowLemma: false, allowLambda)
+  { "," FrameExpression(allowLemma: false, allowLambda) }
+````
+
+#### 17.2.5.10. Invariant clauses {#g-invariant-clause}
+([discussion](#sec-invariant-clause)) 
+
+````grammar
+InvariantClause_ =
+  "invariant" { Attribute }
+  Expression(allowLemma: false, allowLambda: true)
+````
+
+#### 17.2.5.11. Reads clauses {#g-reads-clause}
+([discussion](#sec-reads-clause)) 
+
+````grammar
+ReadsClause(allowLemma, allowLambda, allowWild) =
+  "reads" { Attribute }
+  PossiblyWildFrameExpression(allowLemma, allowLambda, allowWild)
+  { "," PossiblyWildFrameExpression(allowLemma, allowLambda, allowWild) }
+````
+
+#### 17.2.5.12. Frame expressions {#g-frame-expression}
+([discussion](#sec-frame-expression)) 
+
+````grammar
+FrameExpression(allowLemma, allowLambda) =
+  ( Expression(allowLemma, allowLambda) [ FrameField ]
+  | FrameField
+  )
+
+FrameField = "`" IdentOrDigits
+
+PossiblyWildFrameExpression(allowLemma, allowLambda, allowWild) =
+  ( "*"  // error if !allowWild and '*'
+  | FrameExpression(allowLemma, allowLambda)
+  )
+````
+
+### 17.2.6. Statements {#g-statement}
+
+#### 17.2.6.1. Labeled statement {#g-labeled-statement}
+
+([discussion](#sec-labeled-statement)) 
+
+````grammar
+Stmt = { "label" LabelName ":" } NonLabeledStmt
+````
+
+#### 17.2.6.2. Non-Labeled statement {#g-nonlabeled-statement}
+
+([discussion](#sec-statements)) 
+
+````grammar
+NonLabeledStmt =
+  ( AssertStmt | AssumeStmt | BlockStmt | BreakStmt
+  | CalcStmt | ExpectStmt | ForallStmt | IfStmt
+  | MatchStmt | ModifyStmt
+  | PrintStmt | ReturnStmt | RevealStmt
+  | UpdateStmt | UpdateFailureStmt
+  | VarDeclStatement | WhileStmt | ForLoopStmt | YieldStmt
+  )
+````
+
+#### 17.2.6.3. Break and continue statements {#g-break-continue-statement}
+
+([discussion](#sec-break-continue-statement)) 
+
+````grammar
+BreakStmt =
+  ( "break" LabelName ";"
+  | "continue" LabelName ";"
+  | { "break" } "break" ";"
+  | { "break" } "continue" ";"
+  )
+````
+
+#### 17.2.6.4. Block statement {#g-block-statement}
+
+([discussion](#sec-block-statement)) 
+
+````grammar
+BlockStmt = "{" { Stmt } "}"
+````
+
+#### 17.2.6.5. Return statement {#g-return-statement}
+
+([discussion](#sec-return-statement)) 
+
+````grammar
+ReturnStmt = "return" [ Rhs { "," Rhs } ] ";"
+````
+
+#### 17.2.6.6. Yield statement {#g-yield-statement}
+
+([discussion](#sec-yield-statement)) 
+
+````grammar
+YieldStmt = "yield" [ Rhs { "," Rhs } ] ";"
+````
+
+#### 17.2.6.7. Update and call statement {#g-update-and-call-statement}
+
+([discussion](#sec-update-and-call-statement)) 
+
+````grammar
+UpdateStmt =
+  Lhs
+  ( {Attribute} ";"
+  |
+    { "," Lhs }
+    ( ":=" Rhs { "," Rhs }
+    | ":|" [ "assume" ]
+               Expression(allowLemma: false, allowLambda: true)
+    )
+    ";"
+  )
+````
+
+#### 17.2.6.8. Update with failure statement {#g-update-with-failure-statement}
+
+([discussion](#sec-update-with-failure-statement)) 
+
+````grammar
+UpdateFailureStmt  =
+  [ Lhs { "," Lhs } ]
+  ":-"
+  [ "expect"  | "assert" | "assume" ]
+  Expression(allowLemma: false, allowLambda: false)
+  { "," Rhs }
+  ";"
+````
+
+#### 17.2.6.9. Variable declaration statement {#g-variable-declaration-statement}
+
+([discussion](#sec-variable-declaration-statement)) 
+
+````grammar
+VarDeclStatement =
+  [ "ghost" ] "var" { Attribute }
+  (
+    LocalIdentTypeOptional
+    { "," { Attribute } LocalIdentTypeOptional }
+    [ ":="
+      Rhs { "," Rhs }
+    | ":-"
+      [ "expect" | "assert" | "assume" ]
+      Expression(allowLemma: false, allowLambda: false)
+      { "," Rhs }
+    | { Attribute }
+      ":|"
+      [ "assume" ] Expression(allowLemma: false, allowLambda: true)
+    ]
+  |
+    CasePatternLocal
+    ( ":=" | { Attribute } ":|" )
+    Expression(allowLemma: false, allowLambda: true)
+  )
+  ";"
+
+CasePatternLocal = 
+  ( [ Ident ] "(" CasePatternLocal { "," CasePatternLocal } ")"
+  | LocalIdentTypeOptional
+  )
+````
+
+#### 17.2.6.10. Guards {#g-guard}
+
+([discussion](#sec-guard)) 
+
+````grammar
+Guard = ( "*"
+        | "(" "*" ")"
+        | Expression(allowLemma: true, allowLambda: true)
+        )
+````
+
+#### 17.2.6.11. Binding guards {#g-binding-guard} 
+
+([discussion](#sec-binding-guards))
+
+````grammar
+BindingGuard(allowLambda) =
+  IdentTypeOptional { "," IdentTypeOptional }
+  { Attribute }
+  ":|"
+  Expression(allowLemma: true, allowLambda)
+````
+
+#### 17.2.6.12. If statement {#g-if-statement}
+
+([discussion](#sec-if-statement)) 
+
+````grammar
+IfStmt = "if"
+  ( AlternativeBlock(allowBindingGuards: true)
+  |
+    ( BindingGuard(allowLambda: true)
+    | Guard
+    )
+    BlockStmt [ "else" ( IfStmt | BlockStmt ) ]
+  )
+
+AlternativeBlock(allowBindingGuards) =
+  ( { AlternativeBlockCase(allowBindingGuards) }
+  | "{" { AlternativeBlockCase(allowBindingGuards) } "}"
+  )
+
+AlternativeBlockCase(allowBindingGuards) =
+  { "case"
+    (
+    BindingGuard(allowLambda: false) //permitted iff allowBindingGuards == true
+    | Expression(allowLemma: true, allowLambda: false)
+    ) "=>" { Stmt }
+  }
+````
+
+#### 17.2.6.13. While Statement {#g-while-statement}
+
+([discussion](#sec-while-statement)) 
+
+````grammar
+WhileStmt =
+  "while"
+  ( LoopSpec
+    AlternativeBlock(allowBindingGuards: false)
+  | Guard
+    LoopSpec
+    ( BlockStmt
+    |           // no body
+    )
+  )
+````
+
+#### 17.2.6.14. For statement {#g-for-statement}
+
+([discussion](#sec-for-statement))
+
+````grammar
+ForLoopStmt =
+  "for" IdentTypeOptional ":="
+  Expression(allowLemma: false, allowLambda: false)
+  ( "to" | "downto" )
+  ( "*" | Expression(allowLemma: false, allowLambda: false)
+  )
+  LoopSpec
+  ( BlockStmt
+  |           // no body
+  )
+````
+
+#### 17.2.6.15. Match statement {#g-match-statement}
+
+([discussion](#sec-match-statement)) 
+
+````grammar
+MatchStmt =
+  "match"
+  Expression(allowLemma: true, allowLambda: true)
+  ( "{" { CaseStmt } "}"
+  | { CaseStmt }
+  )
+
+CaseStmt = "case" ExtendedPattern "=>" { Stmt }
+````
+
+#### 17.2.6.16. Assert statement {#g-assert-statement}
+
+([discussion](#sec-assert-statement)) 
+
+````grammar
+AssertStmt =
+  "assert"
+  { Attribute }
+  [ LabelName ":" ]
+  Expression(allowLemma: false, allowLambda: true)
+  ( ";"
+  | "by" BlockStmt
+  )
+````
+
+#### 17.2.6.17. Assume statement {#g-assume-statement}
+
+([discussion](#sec-assume-statement)) 
+
+````grammar
+AssumeStmt =
+  "assume"
+  { Attribute }
+  Expression(allowLemma: false, allowLambda: true)
+  ";"
+````
+
+#### 17.2.6.18. Expect statement {#g-expect-statement}
+
+([discussion](#sec-expect-statement)) 
+
+````grammar
+ExpectStmt =
+  "expect"
+  { Attribute }
+  Expression(allowLemma: false, allowLambda: true)
+  [ "," Expression(allowLemma: false, allowLambda: true) ]
+  ";"
+````
+
+#### 17.2.6.19. Print statement {#g-print-statement}
+
+([discussion](#sec-print-statement)) 
+
+````grammar
+PrintStmt =
+  "print"
+  Expression(allowLemma: false, allowLambda: true)
+  { "," Expression(allowLemma: false, allowLambda: true) }
+  ";"
+````
+
+#### 17.2.6.20. Reveal statement {#g-reveal-statement}
+
+([discussion](#sec-reveal-statement)) 
+
+````grammar
+RevealStmt =
+  "reveal"
+  Expression(allowLemma: false, allowLambda: true)
+  { "," Expression(allowLemma: false, allowLambda: true) }
+  ";"
+````
+#### 17.2.6.21. Forall statement {#g-forall-statement}
+
+([discussion](#sec-forall-statement)) 
+
+````grammar
+ForallStmt =
+  "forall"
+  ( "(" [ QuantifierDomain ] ")"
+  | [ QuantifierDomain ]
+  )
+  { EnsuresClause(allowLambda: true) }
+  [ BlockStmt ]
+````
+#### 17.2.6.22. Modify statement {#g-modify-statement}
+
+([discussion](#sec-modify-statement)) 
+
+````grammar
+ModifyStmt =
+  "modify"
+  { Attribute }
+  FrameExpression(allowLemma: false, allowLambda: true)
+  { "," FrameExpression(allowLemma: false, allowLambda: true) }
+  ";"
+````
+
+#### 17.2.6.23. Calc statement {#g-calc-statement}
+
+([discussion](#sec-calc-statement)) 
+
+````grammar
+CalcStmt = "calc" { Attribute } [ CalcOp ] "{" CalcBody_ "}"
+
+CalcBody_ = { CalcLine_ [ CalcOp ] Hints_ }
+
+CalcLine_ = Expression(allowLemma: false, allowLambda: true) ";"
+
+Hints_ = { ( BlockStmt | CalcStmt ) }
+
+CalcOp =
+  ( "==" [ "#" "["
+           Expression(allowLemma: true, allowLambda: true) "]" ]
+  | "<" | ">"
+  | "!=" | "<=" | ">="
+  | "<==>" | "==>" | "<=="
+  )
+````
+
+#### 17.2.6.24. Opaque block {#g-opaque-block}
+
+([discussion](#sec-opaque-block))
+
+````grammar
+OpaqueBlock = "opaque" OpaqueSpec BlockStmt
+  
+OpaqueSpec = {
+  | ModifiesClause(allowLambda: false)
+  | EnsuresClause(allowLambda: false)
+}
+````
+
+### 17.2.7. Expressions
+
+#### 17.2.7.1. Top-level expression {#g-top-level-expression}
+
+([discussion](#sec-top-level-expression)) 
+
+````grammar
+Expression(allowLemma, allowLambda, allowBitwiseOps = true) =
+  EquivExpression(allowLemma, allowLambda, allowBitwiseOps)
+  [ ";" Expression(allowLemma, allowLambda, allowBitwiseOps) ]
+````
+
+The "allowLemma" argument says whether or not the expression
+to be parsed is allowed to have the form `S;E` where `S` is a call to a lemma.
+"allowLemma" should be passed in as "false" whenever the expression to
+be parsed sits in a context that itself is terminated by a semi-colon.
+
+The "allowLambda" says whether or not the expression to be parsed is
+allowed to be a lambda expression.  More precisely, an identifier or
+parenthesized, comma-delimited list of identifiers is allowed to
+continue as a lambda expression (that is, continue with a `reads`, `requires`,
+or `=>`) only if "allowLambda" is true.  This affects function/method/iterator
+specifications, if/while statements with guarded alternatives, and expressions
+in the specification of a lambda expression itself.
+
+#### 17.2.7.2. Equivalence expression {#g-equivalence-expression}
+
+([discussion](#sec-equivalence-expression)) 
+
+````grammar
+EquivExpression(allowLemma, allowLambda, allowBitwiseOps) =
+  ImpliesExpliesExpression(allowLemma, allowLambda, allowBitwiseOps)
+  { "<==>" ImpliesExpliesExpression(allowLemma, allowLambda, allowBitwiseOps) }
+````
+
+#### 17.2.7.3. Implies expression {#g-implies-expression}
+
+([discussion](#sec-implies-expression)) 
+
+````grammar
+ImpliesExpliesExpression(allowLemma, allowLambda, allowBitwiseOps) =
+  LogicalExpression(allowLemma, allowLambda)
+  [ (  "==>" ImpliesExpression(allowLemma, allowLambda, allowBitwiseOps)
+    | "<==" LogicalExpression(allowLemma, allowLambda, allowBitwiseOps)
+            { "<==" LogicalExpression(allowLemma, allowLambda, allowBitwiseOps) }
+    )
+  ]
+
+ImpliesExpression(allowLemma, allowLambda, allowBitwiseOps) =
+  LogicalExpression(allowLemma, allowLambda, allowBitwiseOps)
+  [  "==>" ImpliesExpression(allowLemma, allowLambda, allowBitwiseOps) ]
+````
+
+#### 17.2.7.4. Logical expression {#g-logical-expression}
+
+([discussion](#sec-logical-expression)) 
+
+````grammar
+LogicalExpression(allowLemma, allowLambda, allowBitwiseOps) =
+  [ "&&" | "||" ]
+  RelationalExpression(allowLemma, allowLambda, allowBitwiseOps)
+  { ( "&&" | "||" )
+    RelationalExpression(allowLemma, allowLambda, allowBitwiseOps)
+  }
+````
+
+#### 17.2.7.5. Relational expression {#g-relational-expression}
+
+([discussion](#sec-relational-expression)) 
+
+````grammar
+RelationalExpression(allowLemma, allowLambda, allowBitwiseOps) =
+  ShiftTerm(allowLemma, allowLambda, allowBitwiseOps)
+  { RelOp ShiftTerm(allowLemma, allowLambda, allowBitwiseOps) }
+
+RelOp =
+  ( "=="
+    [ "#" "[" Expression(allowLemma: true, allowLambda: true) "]" ]
+  | "!="
+    [ "#" "[" Expression(allowLemma: true, allowLambda: true) "]" ]
+  | "<" | ">" | "<=" | ">="
+  | "in"
+  | "!in"
+  | "!!"
+  )
+````
+
+#### 17.2.7.6. Bit-shift expression {#g-bit-shift-expression}
+
+([discussion](#sec-bit-shift-expression)) 
+
+````grammar
+ShiftTerm(allowLemma, allowLambda, allowBitwiseOps) =
+  Term(allowLemma, allowLambda, allowBitwiseOps)
+  { ShiftOp Term(allowLemma, allowLambda, allowBitwiseOps) }
+
+ShiftOp = ( "<<" | ">>" )
+````
+
+#### 17.2.7.7. Term (addition operations) {#g-term}
+
+([discussion](#sec-addition-expression)) 
+
+````grammar
+Term(allowLemma, allowLambda, allowBitwiseOps) =
+  Factor(allowLemma, allowLambda, allowBitwiseOps)
+  { AddOp Factor(allowLemma, allowLambda, allowBitwiseOps) }
+
+AddOp = ( "+" | "-" )
+````
+
+#### 17.2.7.8. Factor (multiplication operations) {#g-factor}
+
+([discussion](#sec-multiplication-expression)) 
+
+````grammar
+Factor(allowLemma, allowLambda, allowBitwiseOps) =
+  BitvectorFactor(allowLemma, allowLambda, allowBitwiseOps)
+  { MulOp BitvectorFactor(allowLemma, allowLambda, allowBitwiseOps) }
+
+MulOp = ( "*" | "/" | "%" )
+````
+
+#### 17.2.7.9. Bit-vector expression {#g-bit-vector-expression}
+([discussion](#sec-bitvector-expression)) 
+
+````grammar
+BitvectorFactor(allowLemma, allowLambda, allowBitwiseOps) =
+  AsExpression(allowLemma, allowLambda, allowBitwiseOps)
+  { BVOp AsExpression(allowLemma, allowLambda, allowBitwiseOps) }
+
+BVOp = ( "|" | "&" | "^" )
+````
+
+If `allowBitwiseOps` is false, it is an error to have a bitvector operation.
+
+#### 17.2.7.10. As/Is expression {#g-as-is-expression}
+([discussion](#sec-as-is-expression)) 
+
+````grammar
+AsExpression(allowLemma, allowLambda, allowBitwiseOps) =
+  UnaryExpression(allowLemma, allowLambda, allowBitwiseOps)
+  { ( "as" | "is" ) Type }
+````
+
+#### 17.2.7.11. Unary expression {#g-unary-expression}
+([discussion](#sec-unary-expression)) 
+
+````grammar
+UnaryExpression(allowLemma, allowLambda, allowBitwiseOps) =
+  ( "-" UnaryExpression(allowLemma, allowLambda, allowBitwiseOps)
+  | "!" UnaryExpression(allowLemma, allowLambda, allowBitwiseOps)
+  | PrimaryExpression(allowLemma, allowLambda, allowBitwiseOps)
+  )
+````
+
+#### 17.2.7.12. Primary expression {#g-primary-expression}
+([discussion](#sec-primary-expression)) 
+
+````grammar
+PrimaryExpression(allowLemma, allowLambda, allowBitwiseOps) =
+  ( NameSegment { Suffix }
+  | LambdaExpression(allowLemma, allowBitwiseOps)
+  | MapDisplayExpr { Suffix }
+  | SeqDisplayExpr { Suffix }
+  | SetDisplayExpr { Suffix }
+  | EndlessExpression(allowLemma, allowLambda, allowBitwiseOps)
+  | ConstAtomExpression { Suffix }
+  )
+````
+
+#### 17.2.7.13. Lambda expression {#g-lambda-expression}
+([discussion](#sec-lambda-expression)) 
+
+````grammar
+LambdaExpression(allowLemma, allowBitwiseOps) =
+  ( WildIdent
+  | "(" [ IdentTypeOptional { "," IdentTypeOptional } ] ")"
+  )
+  LambdaSpec
+  "=>"
+  Expression(allowLemma, allowLambda: true, allowBitwiseOps)
+````
+
+#### 17.2.7.14. Left-hand-side expression {#g-lhs-expression}
+([discussion](#sec-lhs-expression)) {
+
+````grammar
+Lhs =
+  ( NameSegment { Suffix }
+  | ConstAtomExpression Suffix { Suffix }
+  )
+````
+
+#### 17.2.7.15. Right-hand-side expression {#g-rhs-expression}
+([discussion](#sec-rhs-expression)) 
+
+````grammar
+Rhs =
+    ArrayAllocation
+  | ObjectAllocation_
+  | Expression(allowLemma: false, allowLambda: true, allowBitwiseOps: true)
+  | HavocRhs_
+  )
+  { Attribute }
+````
+
+#### 17.2.7.16. Array allocation right-hand-side expression {#g-array-allocation-expression}
+([discussion](#sec-array-allocation)) 
+
+````grammar
+ArrayAllocation_ =
+  "new" [ Type ] "[" [ Expressions ] "]"
+  [ "(" Expression(allowLemma: true, allowLambda: true) ")"
+  | "[" [ Expressions ] "]"
+  ]
+````
+
+#### 17.2.7.17. Object allocation right-hand-side expression {#g-object-allocation-expression}
+([discussion](#sec-object-allocation)) 
+
+````grammar
+ObjectAllocation_ = "new" Type [ "." TypeNameOrCtorSuffix ]
+                               [ "(" [ Bindings ] ")" ]
+````
+
+#### 17.2.7.18. Havoc right-hand-side expression {#g-havoc-expression}
+([discussion](#sec-havoc-expression)) 
+
+````grammar
+HavocRhs_ = "*"
+````
+
+#### 17.2.7.19. Atomic expressions {#g-atomic-expression}
+([discussion](#sec-atomic-expression)) 
+
+````grammar
+ConstAtomExpression =
+  ( LiteralExpression
+  | ThisExpression_
+  | FreshExpression_
+  | AllocatedExpression_
+  | UnchangedExpression_
+  | OldExpression_
+  | CardinalityExpression_
+  | ParensExpression
+  )
+````
+
+#### 17.2.7.20. Literal expressions {#g-literal-expression}
+([discussion](#sec-literal-expression)) 
+
+````grammar
+LiteralExpression =
+ ( "false" | "true" | "null" | Nat | Dec |
+   charToken | stringToken )
+
+Nat = ( digits | hexdigits )
+
+Dec = decimaldigits
+````
+
+#### 17.2.7.21. This expression {#g-this-expression}
+([discussion](#sec-this-expression)) 
+
+````grammar
+ThisExpression_ = "this"
+````
+
+#### 17.2.7.22. Old and Old@ Expressions {#g-old-expression}
+([discussion](#sec-old-expression)) 
+
+````grammar
+OldExpression_ =
+  "old" [ "@" LabelName ]
+  "(" Expression(allowLemma: true, allowLambda: true) ")"
+````
+
+#### 17.2.7.23. Fresh Expressions {#g-fresh-expression}
+([discussion](#sec-fresh-expression)) 
+
+````grammar
+FreshExpression_ =
+  "fresh" [ "@" LabelName ]
+  "(" Expression(allowLemma: true, allowLambda: true) ")"
+````
+
+#### 17.2.7.24. Allocated Expressions {#g-allocated-expression}
+([discussion](#sec-allocated-expression)) 
+
+````grammar
+AllocatedExpression_ =
+  "allocated" "(" Expression(allowLemma: true, allowLambda: true) ")"
+````
+
+#### 17.2.7.25. Unchanged Expressions {#g-unchanged-expression}
+([discussion](#sec-unchanged-expression)) 
+
+````grammar
+UnchangedExpression_ =
+  "unchanged" [ "@" LabelName ]
+  "(" FrameExpression(allowLemma: true, allowLambda: true)
+      { "," FrameExpression(allowLemma: true, allowLambda: true) }
+  ")"
+````
+
+#### 17.2.7.26. Cardinality Expressions {#g-cardinality-expression}
+([discussion](#sec-cardinality-expression)) 
+
+````grammar
+CardinalityExpression_ =
+  "|" Expression(allowLemma: true, allowLambda: true) "|"
+````
+
+#### 17.2.7.27. Parenthesized Expression {#g-parenthesized-expression}
+([discussion](#sec-parenthesized-expression)) 
+
+````grammar
+ParensExpression =
+  "(" [ TupleArgs ] ")"
+
+TupleArgs =
+  [ "ghost" ]
+  ActualBinding(isGhost) // argument is true iff the ghost modifier is present
+  { ","
+    [ "ghost" ]
+    ActualBinding(isGhost) // argument is true iff the ghost modifier is present
+  }
+````
+
+#### 17.2.7.28. Sequence Display Expression {#g-sequence-display-expression}
+([discussion](#sec-seq-comprehension)) 
+
+````grammar
+SeqDisplayExpr =
+  ( "[" [ Expressions ] "]"
+  | "seq" [ GenericInstantiation ]
+    "(" Expression(allowLemma: true, allowLambda: true)
+    "," Expression(allowLemma: true, allowLambda: true)
+    ")"
+  )
+````
+
+#### 17.2.7.29. Set Display Expression {#g-set-display-expression}
+([discussion](#sec-set-display-expression)) 
+
+````grammar
+SetDisplayExpr =
+  ( [ "iset" | "multiset" ] "{" [ Expressions ] "}"
+  | "multiset" "(" Expression(allowLemma: true,
+                              allowLambda: true) ")"
+  )
+````
+
+#### 17.2.7.30. Map Display Expression {#g-map-display-expression}
+([discussion](#sec-map-display-expression)) 
+
+````grammar
+MapDisplayExpr =
+  ("map" | "imap" ) "[" [ MapLiteralExpressions ] "]"
+
+MapLiteralExpressions =
+  Expression(allowLemma: true, allowLambda: true)
+  ":=" 
+  Expression(allowLemma: true, allowLambda: true)
+  { "," 
+    Expression(allowLemma: true, allowLambda: true)
+    ":=" 
+    Expression(allowLemma: true, allowLambda: true)
+  }
+````
+
+#### 17.2.7.31. Endless Expression {#g-endless-expression}
+([discussion](#sec-endless-expression)) 
+
+````grammar
+EndlessExpression(allowLemma, allowLambda, allowBitwiseOps) =
+  ( IfExpression(allowLemma, allowLambda, allowBitwiseOps)
+  | MatchExpression(allowLemma, allowLambda, allowBitwiseOps)
+  | QuantifierExpression(allowLemma, allowLambda)
+  | SetComprehensionExpr(allowLemma, allowLambda, allowBitwiseOps)
+  | StmtInExpr
+    Expression(allowLemma, allowLambda, allowBitwiseOps)
+  | LetExpression(allowLemma, allowLambda, allowBitwiseOps)
+  | MapComprehensionExpr(allowLemma, allowLambda, allowBitwiseOps)
+  )
+````
+
+#### 17.2.7.32. If expression {#g-if-expression}
+([discussion](#sec-if-expression)) 
+
+````grammar
+IfExpression(allowLemma, allowLambda, allowBitwiseOps) =
+    "if" ( BindingGuard(allowLambda: true)
+         | Expression(allowLemma: true, allowLambda: true, allowBitwiseOps: true)
+         )
+    "then" Expression(allowLemma: true, allowLambda: true, allowBitwiseOps: true)
+    "else" Expression(allowLemma, allowLambda, allowBitwiseOps)
+````
+
+#### 17.2.7.33. Match Expression {#g-match-expression}
+([discussion](#sec-match-expression)) 
+
+````grammar
+MatchExpression(allowLemma, allowLambda, allowBitwiseOps) =
+  "match"
+  Expression(allowLemma, allowLambda, allowBitwiseOps)
+  ( "{" { CaseExpression(allowLemma: true, allowLambda, allowBitwiseOps: true) } "}"
+  | { CaseExpression(allowLemma, allowLambda, allowBitwiseOps) }
+  )
+
+CaseExpression(allowLemma, allowLambda, allowBitwiseOps) =
+  "case" { Attribute } ExtendedPattern "=>" Expression(allowLemma, allowLambda, allowBitwiseOps)
+````
+
+#### 17.2.7.34. Case and Extended Patterns {#g-pattern}
+([discussion](#sec-case-pattern)) 
+
+````grammar
+CasePattern =
+  ( IdentTypeOptional
+  | [Ident] "(" [ CasePattern { "," CasePattern } ] ")"
+  )
+
+SingleExtendedPattern =
+  ( PossiblyNegatedLiteralExpression
+  | IdentTypeOptional
+  | [ Ident ] "(" [ SingleExtendedPattern { "," SingleExtendedPattern } ] ")"
+  )
+
+ExtendedPattern =
+  ( [ "|" ] SingleExtendedPattern { "|" SingleExtendedPattern } )
+
+PossiblyNegatedLiteralExpression =
+  ( "-" ( Nat | Dec )
+  | LiteralExpression
+  )
+````
+
+#### 17.2.7.35. Quantifier expression {#g-quantifier-expression}
+([discussion](#sec-quantifier-expression)) 
+
+````grammar
+QuantifierExpression(allowLemma, allowLambda) =
+  ( "forall" | "exists" ) QuantifierDomain "::"
+  Expression(allowLemma, allowLambda)
+````
+
+#### 17.2.7.36. Set Comprehension Expressions {#g-set-comprehension-expression}
+([discussion](#sec-set-comprehension-expression)) 
+
+````grammar
+SetComprehensionExpr(allowLemma, allowLambda) =
+  [ "set" | "iset" ]
+  QuantifierDomain(allowLemma, allowLambda)
+  [ "::" Expression(allowLemma, allowLambda) ]
+````
+
+#### 17.2.7.37. Map Comprehension Expression {#g-map-comprehension-expression}
+([discussion](#sec-map-comprehension-expression)) 
+
+````grammar
+MapComprehensionExpr(allowLemma, allowLambda) =
+  ( "map" | "imap" )
+  QuantifierDomain(allowLemma, allowLambda)
+  "::"
+  Expression(allowLemma, allowLambda)
+  [ ":=" Expression(allowLemma, allowLambda) ]
+````
+
+
+#### 17.2.7.38. Statements in an Expression {#g-statement-in-expression}
+([discussion](#sec-statement-in-an-expression)) 
+
+````grammar
+StmtInExpr = ( AssertStmt | AssumeStmt | ExpectStmt
+             | RevealStmt | CalcStmt | ForallStmt
+             )
+````
+
+#### 17.2.7.39. Let and Let or Fail Expression {#g-let-expression}
+([discussion](#sec-let-expression)) 
+
+````grammar
+LetExpression(allowLemma, allowLambda) =
+  (
+    [ "ghost" ] "var" CasePattern { "," CasePattern }
+    ( ":=" | ":-" | { Attribute } ":|" )
+    Expression(allowLemma: false, allowLambda: true)
+    { "," Expression(allowLemma: false, allowLambda: true) }
+  |
+    ":-"
+    Expression(allowLemma: false, allowLambda: true)
+  )
+  ";"
+  Expression(allowLemma, allowLambda)
+````
+
+#### 17.2.7.40. Name Segment {#g-name-segment}
+([discussion](#sec-name-segment)) 
+
+````grammar
+NameSegment = Ident [ GenericInstantiation | HashCall ]
+````
+
+#### 17.2.7.41. Hash Call {#g-hash-call}
+([discussion](#sec-hash-call)) 
+
+````grammar
+HashCall = "#" [ GenericInstantiation ]
+  "[" Expression(allowLemma: true, allowLambda: true) "]"
+  "(" [ Bindings ] ")"
+````
+
+#### 17.2.7.42. Suffix {#g-suffix}
+([discussion](#sec-suffix)) 
+
+````grammar
+Suffix =
+  ( AugmentedDotSuffix_
+  | DatatypeUpdateSuffix_
+  | SubsequenceSuffix_
+  | SlicesByLengthSuffix_
+  | SequenceUpdateSuffix_
+  | SelectionSuffix_
+  | ArgumentListSuffix_
+  )
+````
+
+#### 17.2.7.43. Augmented Dot Suffix {#g-augmented-dot-suffix}
+([discussion](#sec-augmented-dot-suffix)) 
+
+````grammar
+AugmentedDotSuffix_ = "." DotSuffix
+                      [ GenericInstantiation | HashCall ]
+````
+
+#### 17.2.7.44. Datatype Update Suffix {#g-datatype-update-suffix}
+([discussion](#sec-datatype-update-suffix)) 
+
+````grammar
+DatatypeUpdateSuffix_ =
+  "." "(" MemberBindingUpdate { "," MemberBindingUpdate } ")"
+
+MemberBindingUpdate =
+  ( ident | digits )
+  ":=" Expression(allowLemma: true, allowLambda: true)
+````
+
+#### 17.2.7.45. Subsequence Suffix {#g-subsequence-suffix}
+([discussion](#sec-subsequence-suffix)) 
+
+````grammar
+SubsequenceSuffix_ =
+  "[" [ Expression(allowLemma: true, allowLambda: true) ]
+      ".." [ Expression(allowLemma: true, allowLambda: true) ]
+  "]"
+````
+
+#### 17.2.7.46. Subsequence Slices Suffix {#g-subsequence-slices-suffix}
+([discussion](#sec-subsequence-slices-suffix)) 
+
+````grammar
+SlicesByLengthSuffix_ =
+  "[" Expression(allowLemma: true, allowLambda: true) ":"
+      [
+        Expression(allowLemma: true, allowLambda: true)
+        { ":" Expression(allowLemma: true, allowLambda: true) }
+        [ ":" ]
+      ]
+  "]"
+````
+
+#### 17.2.7.47. Sequence Update Suffix {#g-sequence-update-suffix}
+([discussion](#sec-sequence-update-suffix)) 
+
+````grammar
+SequenceUpdateSuffix_ =
+  "[" Expression(allowLemma: true, allowLambda: true)
+      ":=" Expression(allowLemma: true, allowLambda: true)
+  "]"
+````
+
+#### 17.2.7.48. Selection Suffix {#g-selection-suffix}
+([discussion](#sec-selection-suffix)) 
+
+````grammar
+SelectionSuffix_ =
+  "[" Expression(allowLemma: true, allowLambda: true)
+      { "," Expression(allowLemma: true, allowLambda: true) }
+  "]"
+````
+
+#### 17.2.7.49. Argument List Suffix {#g-argument-list-suffix}
+([discussion](#sec-argument-list-suffix)) 
+
+````grammar
+ArgumentListSuffix_ = "(" [ Expressions ] ")"
+````
+
+#### 17.2.7.50. Expression Lists {#g-expression-list}
+([discussion](#sec-expression-list)) 
+
+````grammar
+Expressions =
+  Expression(allowLemma: true, allowLambda: true)
+  { "," Expression(allowLemma: true, allowLambda: true) }
+````
+
+#### 17.2.7.51. Parameter Bindings {#g-parameter-bindings}
+([discussion](#sec-parameter-bindings)) 
+
+````grammar
+ActualBindings =
+  ActualBinding
+  { "," ActualBinding }
+
+ActualBinding(isGhost = false) =
+  [ NoUSIdentOrDigits ":=" ]
+  Expression(allowLemma: true, allowLambda: true)
+````
+
+#### 17.2.7.52. Quantifier domains {#g-quantifier-domain}
+
+````grammar
+QuantifierDomain(allowLemma, allowLambda) =
+  QuantifierVarDecl(allowLemma, allowLambda) 
+  { "," QuantifierVarDecl(allowLemma, allowLambda) }
+
+QuantifierVarDecl(allowLemma, allowLambda) =
+  IdentTypeOptional
+  [ "<-" Expression(allowLemma, allowLambda) ]
+  { Attribute }
+  [ | Expression(allowLemma, allowLambda) ]
+````
+
+
+#### 17.2.7.53. Basic name and type combinations
+
+````grammar
+Ident = ident
+
+DotSuffix = ( ident | digits | "requires" | "reads" )
+
+NoUSIdent = ident - "_" { idchar }
+
+WildIdent = NoUSIdent | "_"
+
+IdentOrDigits = Ident | digits
+NoUSIdentOrDigits = NoUSIdent | digits
+ModuleName = NoUSIdent
+ClassName = NoUSIdent    // also traits
+DatatypeName = NoUSIdent
+DatatypeMemberName = NoUSIdentOrDigits
+NewtypeName = NoUSIdent
+SynonymTypeName = NoUSIdent
+IteratorName = NoUSIdent
+TypeVariableName = NoUSIdent
+MethodFunctionName = NoUSIdentOrDigits
+LabelName = NoUSIdentOrDigits
+AttributeName = NoUSIdent
+ExportId = NoUSIdentOrDigits
+TypeNameOrCtorSuffix = NoUSIdentOrDigits
+
+ModuleQualifiedName = ModuleName { "." ModuleName }
+
+IdentType = WildIdent ":" Type
+
+FIdentType = NoUSIdentOrDigits ":" Type
+
+CIdentType = NoUSIdentOrDigits [ ":" Type ]
+
+GIdentType(allowGhostKeyword, allowNewKeyword, allowOlderKeyword, allowNameOnlyKeyword, allowDefault) =
+  { "ghost" | "new" | "nameonly" | "older" } IdentType
+  [ ":=" Expression(allowLemma: true, allowLambda: true) ]
+
+LocalIdentTypeOptional = WildIdent [ ":" Type ]
+
+IdentTypeOptional = WildIdent [ ":" Type ]
+
+TypeIdentOptional =
+  { Attribute }
+  { "ghost" | "nameonly" } [ NoUSIdentOrDigits ":" ] Type
+  [ ":=" Expression(allowLemma: true, allowLambda: true) ]
+
+FormalsOptionalIds = "(" [ TypeIdentOptional
+                           { "," TypeIdentOptional } ] ")"
+
+````
diff --git a/v4.10.0/DafnyRef/GrammarLinks.java b/v4.10.0/DafnyRef/GrammarLinks.java
new file mode 100644
index 0000000..86076f8
--- /dev/null
+++ b/v4.10.0/DafnyRef/GrammarLinks.java
@@ -0,0 +1,152 @@
+
+import java.nio.file.*;
+import java.util.*;
+import java.io.*;
+import java.util.regex.*;
+
+public class GrammarLinks {
+
+  public static String grammarLabels = "<!--GS-->";
+  public static String grammarLinks = "<!--GE-->";
+  public static Pattern inc = Pattern.compile("\\{%\\h+include_relative\\h+([\\w.]+)");
+  public static Pattern grammar = Pattern.compile("````grammar");
+  public static Pattern grammarEnd = Pattern.compile("````");
+  public static Pattern labels = Pattern.compile(grammarLabels);
+  public static Pattern links = Pattern.compile(grammarLinks);
+  public static Pattern head = Pattern.compile("\\h*([\\w\\d_-]+)(\\([^\\)]*\\))?\\h*=");
+  public static Pattern ref = Pattern.compile("([\\(\\){}\\[\\]\\|\\h]|\"[^\"]+\")*([\\w\\d_!-]+)");
+
+  public static boolean replace = false;
+  public static boolean verbose = false;
+  public static List<String> lines = new ArrayList<String>();
+  public static HashSet<String> heads = new HashSet<String>();
+  public static HashSet<String> refs = new HashSet<String>();
+  public static HashSet<String> allheads = new HashSet<String>();
+  public static HashSet<String> allrefs = new HashSet<String>();
+  public static HashSet<String> no = new HashSet<>();
+  static {
+    no.add("true");
+    no.add("false");
+    no.add("go");
+    no.add("body-less");
+  }
+
+  public static void main(String[] args) {
+    int i = 0;
+    if (i < args.length && args[i].equals("-v")) { verbose = true; i++; }
+    if (i < args.length && args[i].equals("-r")) { replace = true; i++; }
+    process(args[i], false);
+    for (String rr: allheads) {
+      if (!allrefs.contains(rr)) System.out.println("UNUSED HEAD " + rr);
+    }
+    for (String rr: allrefs) {
+      if (!allheads.contains(rr)) System.out.println("ORPHAN REF " + rr);
+    }
+
+    if (replace) {
+      process(args[i], true);
+    }
+}
+
+public static void process(String file, boolean replace) {
+  if (verbose) System.out.println("Opening " + file);
+  try (FileReader f = new FileReader(file);
+       BufferedReader r = new BufferedReader(f)) {
+    PrintWriter w = null;
+    if (replace) w = new PrintWriter(new BufferedWriter(new FileWriter(file + ".tmp")));
+
+    String line;
+    outer: while ((line = r.readLine()) != null) {
+      String out = line;
+      Matcher m = inc.matcher(line);
+      if (m.find()) {
+        if (replace) w.println(line);
+        String newfile = m.group(1);
+        if (newfile.endsWith(".md")) process(newfile, replace);
+        continue;
+      }
+      m = links.matcher(line);
+      if (m.find()) continue;
+      m = grammar.matcher(line);
+      if (m.find() && m.start() == 0) {
+         lines.clear();
+         heads.clear();
+         refs.clear();
+         lines.add(line);
+         String h = " ";
+         while ((line = r.readLine()) != null) {
+           lines.add(line);
+           Matcher mm = grammarEnd.matcher(line);
+           if (mm.find() && mm.start() == 0) break;
+           int k = 0;
+           mm = head.matcher(line);
+           if (mm.find() && mm.start() == 0) {
+              h = mm.group(1);
+              if (verbose) System.out.println("HEAD: " + h);
+              heads.add(h);
+              k = mm.end();
+           }
+           int comment = line.indexOf("//");
+           //if ('A' <= h.charAt(0) && h.charAt(0) <= 'Z') {
+           {
+             mm = ref.matcher(line);
+             while (mm.find(k)) {
+               if (comment >= 0 && mm.start(2) > comment) break;
+               String rf = mm.group(2);
+               int p = mm.start(2);
+               k = mm.end(2);
+               if (p > 0 && line.charAt(p-1) == '"' && line.charAt(k) == '"') break;
+               if (verbose) System.out.println("REF: " + rf);
+               if (!no.contains(rf)) refs.add(rf);
+               if (k < line.length() && line.charAt(k) == '(') {
+                   int kk = line.indexOf(')',k);
+                   if (kk > k) k = kk;
+                   boolean skipping = kk == -1;
+                   while (kk == -1) {
+                       line = r.readLine();
+                       if (line == null) break outer;
+                       kk = line.indexOf(')');
+                   }
+                   if (skipping) break;
+               }
+             }
+             allrefs.addAll(refs);
+           }
+         }
+         allheads.addAll(heads);
+         if (line == null) {
+           System.out.println("No end to grammar block found");
+           System.exit(1);
+         }
+         String lab = grammarLabels;
+         for (String hh: heads) {
+           lab += " {#G-" + hh + "}";
+         }
+         if (verbose) System.out.println(lab);
+         if (replace) w.println(lab);
+         for (String s: lines) {
+           if (replace) w.println(s);
+         }
+         String links = grammarLinks;
+         for (String rr: refs) {
+           links += " ["+rr+"](#G-"+rr+")";
+         }
+         if (verbose) System.out.println(links);
+         if (replace) w.println(links);
+      } else {
+        if (replace) w.println(out);
+      }
+    }
+    if (w != null) {
+      w.close();
+      Path a = FileSystems.getDefault().getPath(file + ".tmp");
+      Path b = FileSystems.getDefault().getPath(file);
+      Files.move(a,b, StandardCopyOption.REPLACE_EXISTING);
+    }
+  } catch (Exception e) {
+    System.out.println(e.getMessage());
+  }
+  if (verbose) System.out.println("Closing " + file);
+}
+
+}
diff --git a/v4.10.0/DafnyRef/Introduction.md b/v4.10.0/DafnyRef/Introduction.md
new file mode 100644
index 0000000..6fbf865
--- /dev/null
+++ b/v4.10.0/DafnyRef/Introduction.md
@@ -0,0 +1,184 @@
+# 1. Introduction {#sec-introduction}
+
+Dafny [@Leino:Dafny:LPAR16] is a programming language with built-in specification constructs,
+so that verifying a program's correctness with respect to those specifications
+is a natural part of writing software.
+The Dafny static program verifier can be used to verify the functional
+correctness of programs.
+This document is a reference manual for the programming language and a user guide
+for the `dafny` tool that performs verification and compilation to an
+executable form.
+
+The Dafny programming language is designed to support the static
+verification of programs. It is imperative, sequential, supports generic
+classes, inheritance and abstraction, methods and functions, dynamic allocation, inductive and
+coinductive datatypes, and specification constructs. The
+specifications include pre- and postconditions, frame specifications
+(read and write sets), and termination metrics. To further support
+specifications, the language also offers updatable ghost variables,
+recursive functions, and types like sets and sequences. Specifications
+and ghost constructs are used only during verification; the compiler
+omits them from the executable code.
+
+The `dafny` verifier is run as part of the compiler. As such, a programmer
+interacts with it in much the same way as with the static type
+checker—when the tool produces errors, the programmer responds by
+changing the program’s type declarations, specifications, and statements.
+
+(This document typically uses "Dafny" to refer to the programming language
+and `dafny` to refer to the software tool that verifies and compiles programs
+in the Dafny language.)
+
+The easiest way to try out the Dafny language is to [download the supporting tools and documentation](https://github.com/dafny-lang/dafny/releases) and
+run `dafny` on your machine as you follow along with the [Dafny tutorial](../OnlineTutorial/guide).
+The `dafny` tool can be run from the command line (on Linux, MacOS, Windows or other platforms) or from IDEs
+such as emacs and VSCode, which can provide syntax highlighting and code manipulation capabilities.
+
+The verifier is powered
+by [Boogie](http://research.microsoft.com/boogie)
+[@Boogie:Architecture;@Leino:Boogie2-RefMan;@LeinoRuemmer:Boogie2]
+and [Z3](https://github.com/z3prover) [@deMouraBjorner:Z3:overview].
+
+From verified programs, the `dafny` compiler can produce code for a number
+of different backends:
+the .NET platform via intermediate C\# files, Java, Javascript, Go, and C++.
+Each language provides a basic Foreign Function Interface (through uses of `:extern`)
+and a supporting runtime library.
+
+This reference manual for the Dafny verification system is
+based on the following references:
+[@Leino:Dafny:LPAR16],
+[@MSR:dafny:main],
+[@LEINO:Dafny:Calc],
+[@LEINO:Dafny:Coinduction],
+[Co-induction Simply](http://research.microsoft.com/en-us/um/people/leino/papers/krml230.pdf).
+
+The main part of the reference manual is in top down order except for an
+initial section that deals with the lowest level constructs.
+
+The details of using (and contributing to) the dafny tool are described in the User Guide ([Section 13](#sec-user-guide)).
+
+## 1.1. Dafny 4.0
+
+The most recent major version of the Dafny language is Dafny 4.0, released in February 2023.
+It has some backwards incompatibilities with Dafny 3, as decribed in the [migration guide](https://github.com/dafny-lang/ide-vscode/wiki/Quick-migration-guide-from-Dafny-3.X-to-Dafny-4.0).
+
+The user documentation has been expanded with more examples, a FAQ, and an error explanation catalog.
+There is even a new book, [Program Proofs](https://mitpress.mit.edu/9780262546232/program-proofs/) by Dafny designer Rustan Leino.
+
+The IDE now has a framework for showing error explanation information and corresponding quick fixes are
+being added, with refactoring operations on the horizon.
+
+More details of 4.0 functionality are described in the release notes.
+## 1.2. Dafny Example {#sec-example}
+To give a flavor of Dafny, here is the solution to a competition problem.
+
+<!-- %check-verify -->
+```dafny
+// VSComp 2010, problem 3, find a 0 in a linked list and return
+// how many nodes were skipped until the first 0 (or end-of-list)
+// was found.
+// Rustan Leino, 18 August 2010.
+//
+// The difficulty in this problem lies in specifying what the
+// return value 'r' denotes and in proving that the program
+// terminates.  Both of these are addressed by declaring a ghost
+// field 'List' in each linked-list node, abstractly representing
+// the linked-list elements from the node to the end of the linked
+// list.  The specification can now talk about that sequence of
+// elements and can use 'r' as an index into the sequence, and
+// termination can be proved from the fact that all sequences in
+// Dafny are finite.
+//
+// We only want to deal with linked lists whose 'List' field is
+// properly filled in (which can only happen in an acyclic list,
+// for example).  To that end, the standard idiom in Dafny is to
+// declare a predicate 'Valid()' that is true of an object when
+// the data structure representing that object's abstract value
+// is properly formed.  The definition of 'Valid()' is what one
+// intuitively would think of as the ''object invariant'', and
+// it is mentioned explicitly in method pre- and postconditions.
+//
+// As part of this standard idiom, one also declares a ghost
+// variable 'Repr' that is maintained as the set of objects that
+// make up the representation of the aggregate object--in this
+// case, the Node itself and all its successors.
+module {:options "--function-syntax:4"} M {
+class Node {
+  ghost var List: seq<int>
+  ghost var Repr: set<Node>
+  var head: int
+  var next: Node? // Node? means a Node value or null
+
+  ghost predicate Valid()
+    reads this, Repr
+  {
+    this in Repr &&
+    1 <= |List| && List[0] == head &&
+    (next == null ==> |List| == 1) &&
+    (next != null ==>
+      next in Repr && next.Repr <= Repr && this !in next.Repr &&
+      next.Valid() && next.List == List[1..])
+  }
+
+  static method Cons(x: int, tail: Node?) returns (n: Node)
+    requires tail == null || tail.Valid()
+    ensures n.Valid()
+    ensures if tail == null then n.List == [x]
+                            else n.List == [x] + tail.List
+  {
+    n := new Node;
+    n.head, n.next := x, tail;
+    if (tail == null) {
+      n.List := [x];
+      n.Repr := {n};
+    } else {
+      n.List := [x] + tail.List;
+      n.Repr := {n} + tail.Repr;
+    }
+  }
+}
+
+method Search(ll: Node?) returns (r: int)
+  requires ll == null || ll.Valid()
+  ensures ll == null ==> r == 0
+  ensures ll != null ==>
+            0 <= r && r <= |ll.List| &&
+            (r < |ll.List| ==>
+              ll.List[r] == 0 && 0 !in ll.List[..r]) &&
+            (r == |ll.List| ==> 0 !in ll.List)
+{
+  if (ll == null) {
+    r := 0;
+  } else {
+    var jj,i := ll,0;
+    while (jj != null && jj.head != 0)
+      invariant jj != null ==>
+            jj.Valid() &&
+            i + |jj.List| == |ll.List| &&
+            ll.List[i..] == jj.List
+      invariant jj == null ==> i == |ll.List|
+      invariant 0 !in ll.List[..i]
+      decreases |ll.List| - i
+    {
+      jj := jj.next;
+      i := i + 1;
+    }
+    r := i;
+  }
+}
+
+method Main()
+{
+  var list: Node? := null;
+  list := list.Cons(0, list);
+  list := list.Cons(5, list);
+  list := list.Cons(0, list);
+  list := list.Cons(8, list);
+  var r := Search(list);
+  print "Search returns ", r, "\n";
+  assert r == 1;
+}
+}
+```
+
diff --git a/v4.10.0/DafnyRef/Makefile b/v4.10.0/DafnyRef/Makefile
new file mode 100644
index 0000000..03bf986
--- /dev/null
+++ b/v4.10.0/DafnyRef/Makefile
@@ -0,0 +1,26 @@
+all: features numbers options
+	./concat DafnyRef.md | sed -e '/numbered toc/d' -e '/:toc/d' -e '/PDFOMIT/d'  -e 's/<!--PDF NEWPAGE-->/\\newpage/' -e 's/<!--.*-->//' | pandoc --citeproc --toc --syntax-definition="../KDESyntaxDefinition/dafny.xml"  --syntax-definition="../KDESyntaxDefinition/grammar.xml" --highlight-style=../KDESyntaxDefinition/dafny.theme --pdf-engine=tectonic --bibliography=DafnyRef.bib --bibliography=krml250.bib --bibliography=poc.bib --bibliography=paper-full.bib --bibliography=references.bib -H head.tex -B header.tex -V colorlinks=true -t pdf -o DafnyRef.pdf
+
+numbers:
+	javac Numbers.java && java Numbers -r DafnyRef.md
+
+options:
+	echo '```' > OptionsTemp.txt
+	../../Scripts/dafny -help | tr -d '\r' | sed -e 's/[ ]+\n/\n/' | grep -v 'Error: ' >> OptionsTemp.txt
+	echo '```' >> OptionsTemp.txt
+	if [ ! -e Options.txt ]; then cp OptionsTemp.txt Options.txt; fi
+	diff -q OptionsTemp.txt Options.txt || ( cp OptionsTemp.txt Options.txt && echo Updated Options.txt )
+	rm OptionsTemp.txt
+
+features:
+	dotnet run --no-build --project ../../Source/TestDafny/TestDafny.csproj features > FeaturesTemp.md
+	if [ ! -e Features.md ]; then cp FeaturesTemp.md Features.md; fi
+	diff -q FeaturesTemp.md Features.md || ( cp FeaturesTemp.md Features.md && echo Updated Features.md )
+	rm FeaturesTemp.md
+
+clean:
+	@-rm -f DafnyRef.pdf
+	rm -rf _site
+
+grammar:
+	javac GrammarLinks.java && java -cp . GrammarLinks DafnyRef.md
diff --git a/v4.10.0/DafnyRef/Modules.1.expect b/v4.10.0/DafnyRef/Modules.1.expect
new file mode 100644
index 0000000..0d25735
--- /dev/null
+++ b/v4.10.0/DafnyRef/Modules.1.expect
@@ -0,0 +1,2 @@
+text.dfy(2,0): Error: Import declaration uses same name as a module in the same scope: MyModule
+1 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Modules.10.expect b/v4.10.0/DafnyRef/Modules.10.expect
new file mode 100644
index 0000000..a4d4e5e
--- /dev/null
+++ b/v4.10.0/DafnyRef/Modules.10.expect
@@ -0,0 +1,3 @@
+text.dfy(3,2): Warning: the least token is the identifier for the export set, not an adjective for an extreme predicate
+
+Dafny program verifier finished with 0 verified, 0 errors
diff --git a/v4.10.0/DafnyRef/Modules.2.expect b/v4.10.0/DafnyRef/Modules.2.expect
new file mode 100644
index 0000000..a754390
--- /dev/null
+++ b/v4.10.0/DafnyRef/Modules.2.expect
@@ -0,0 +1,4 @@
+text.dfy(9,6): Error: value does not satisfy the subset constraints of 'nat'
+text.dfy(12,4): Error: assertion might not hold
+
+Dafny program verifier finished with 1 verified, 2 errors
diff --git a/v4.10.0/DafnyRef/Modules.3.expect b/v4.10.0/DafnyRef/Modules.3.expect
new file mode 100644
index 0000000..0352362
--- /dev/null
+++ b/v4.10.0/DafnyRef/Modules.3.expect
@@ -0,0 +1,2 @@
+text.dfy(8,28): Error: Reference to member 'a' is ambiguous: name 'Option' shadows an import-opened module of the same name, and both have a member 'a'. To solve this issue, give a different name to the imported module using `import opened XYZ = ...` instead of `import opened ...`.
+1 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Modules.4.expect b/v4.10.0/DafnyRef/Modules.4.expect
new file mode 100644
index 0000000..920194d
--- /dev/null
+++ b/v4.10.0/DafnyRef/Modules.4.expect
@@ -0,0 +1,3 @@
+text.dfy(10,4): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Modules.5.expect b/v4.10.0/DafnyRef/Modules.5.expect
new file mode 100644
index 0000000..8b432c4
--- /dev/null
+++ b/v4.10.0/DafnyRef/Modules.5.expect
@@ -0,0 +1,2 @@
+text.dfy(8,13): Error: 'xyz' must be a member of 'M' to be exported
+1 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Modules.6.expect b/v4.10.0/DafnyRef/Modules.6.expect
new file mode 100644
index 0000000..06a00ad
--- /dev/null
+++ b/v4.10.0/DafnyRef/Modules.6.expect
@@ -0,0 +1,2 @@
+text.dfy(1,7): Error: module definition contains a cycle (note: parent modules implicitly depend on submodules): import A -> import B -> import A
+1 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Modules.7.expect b/v4.10.0/DafnyRef/Modules.7.expect
new file mode 100644
index 0000000..50ae88b
--- /dev/null
+++ b/v4.10.0/DafnyRef/Modules.7.expect
@@ -0,0 +1,4 @@
+text.dfy(4,4): Error: unresolved identifier: doIt
+text.dfy(4,8): Error: expected method call, found expression
+text.dfy(2,7): Error: not resolving module '_module' because there were errors in resolving its nested module 'M'
+3 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Modules.md b/v4.10.0/DafnyRef/Modules.md
new file mode 100644
index 0000000..31ee26b
--- /dev/null
+++ b/v4.10.0/DafnyRef/Modules.md
@@ -0,0 +1,1068 @@
+# 4. Modules ([grammar](#g-module)) {#sec-modules}
+
+Examples:
+<!-- %no-check -->
+```dafny
+module N  { }
+import A
+export A reveals f
+```
+
+Structuring a program by breaking it into parts is an important part of
+creating large programs. In Dafny, this is accomplished via _modules_.
+Modules provide a way to group together related types, classes, methods,
+functions, and other modules, as well as to control the scope of
+declarations. Modules may import each other for code reuse, and it is
+possible to abstract over modules to separate an implementation from an
+interface.
+
+Module declarations are of three types:
+- a module definition
+- a module import
+- a module export definition
+
+Module definitions and imports each declare a submodule
+of its enclosing module, which may be the
+implicit, undeclared, top-level module. 
+
+## 4.1. Declaring New Modules ([grammar](#g-module-definition)) {#sec-module-definition}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+module P { const i: int }
+abstract module A.Q { method m() {} }
+module M { module N { } }
+```
+
+A _module definition_
+- has an optional modifier (only `abstract` is allowed)
+- followed by the keyword "module"
+- followed by a name (a sequence of dot-separated identifiers)
+- followed by a body enclosed in curly braces
+
+A module body consists of any declarations that are allowed at the top
+level: classes, datatypes, types, methods, functions, etc.
+
+<!-- %check-resolve -->
+```dafny
+module Mod {
+  class C {
+    var f: int
+    method m()
+  }
+  datatype Option = A(int) | B(int)
+  type T
+  method m()
+  function f(): int
+}
+```
+
+You can also put a module inside another, in a nested fashion:
+
+<!-- %check-resolve -->
+```dafny
+module Mod {
+  module Helpers {
+    class C {
+      method doIt()
+      var f: int
+    }
+  }
+}
+```
+
+Then you can refer to the members of the `Helpers` module within the
+`Mod` module by prefixing them with "Helpers.". For example:
+
+<!-- %check-resolve -->
+```dafny
+module Mod {
+  module Helpers {
+    class C {
+      constructor () { f := 0; }
+      method doIt()
+      var f: int
+    }
+  }
+  method m() {
+    var x := new Helpers.C();
+    x.doIt();
+    x.f := 4;
+  }
+}
+```
+
+Methods and functions defined at the module level are available like
+classes, with just the module name prefixing them. They are also
+available in the methods and functions of the classes in the same
+module.
+
+<!-- %check-resolve -->
+```dafny
+module Mod {
+  module Helpers {
+    function addOne(n: nat): nat {
+      n + 1
+    }
+  }
+  method m() {
+    var x := 5;
+    x := Helpers.addOne(x); // x is now 6
+  }
+}
+```
+
+Note that everything declared at the top-level
+(in all the files constituting the program) is implicitly part
+of a single implicit unnamed global module.
+
+## 4.2. Declaring nested modules standalone
+
+As described in the previous section, module declarations can be nested.
+It is also permitted to declare a nested module _outside_ of its
+"containing" module. So instead of
+<!-- %check-resolve -->
+```dafny
+module A {
+  module B {
+  }
+}
+```
+one can write
+<!-- %check-resolve -->
+```dafny
+module A {
+}
+module A.B {
+}
+```
+The second module is completely separate; for example, it can be in
+a different file.
+This feature provides flexibility in writing and maintenance;
+for example, it can reduce the size of module `A` by extracting module `A.B`
+into a separate body of text.
+
+However, it can also lead to confusion, and program authors need to take care.
+It may not be apparent to a reader of module `A` that module `A.B` exists;
+the existence of `A.B` might cause names to be resolved differently and
+the semantics of the program might be (silently) different if `A.B` is
+present or absent.
+
+## 4.3. Importing Modules ([grammar](#g-module-import)) {#sec-importing-modules}
+
+Examples:
+<!-- %no-check -->
+```dafny
+import A
+import opened B
+import A = B
+import A : B
+import A.B
+import A`E
+import X = A.B`{E,F}
+```
+
+Sometimes you want to refer to
+things from an existing module, such as a library. In this case, you
+can _import_ one module into another. This is done via the `import`
+keyword, which has two forms with different meanings.
+The simplest form is the concrete import, which has
+the form `import A = B`. This declaration creates a reference to the
+module `B` (which must already exist), and binds it to the new local name
+`A`. This form can also be used to create a reference to a nested
+module, as in `import A = B.C`. The other form, using a `:`, is
+described in [Section 4.6](#sec-module-abstraction).
+
+As modules in the same scope must have different names, this ability
+to bind a module to a new name allows disambiguating separately developed
+external modules that have the same name.
+Note that the new name is only bound in the scope containing
+the import declaration; it does not create a global alias. For
+example, if `Helpers` was defined outside of `Mod`, then we could import
+it:
+
+<!-- %check-verify -->
+```dafny
+module Helpers {
+  function addOne(n: nat): nat {
+    n + 1
+  }
+}
+module Mod {
+  import A = Helpers
+  method m() {
+    assert A.addOne(5) == 6;
+  }
+}
+```
+
+Note that inside `m()`, we have to use `A` instead of `Helpers`, as we bound
+it to a different name. The name `Helpers` is not available inside `m()` (or anywhere else inside `Mod`),
+as only names that have been bound inside `Mod` are available. In order
+to use the members from another module, that other module either has to be declared
+there with `module` or imported with `import`. (As described below, the
+resolution of the `ModuleQualifiedName` that follows the `=` in the `import`
+statement or the `refines` in a module declaration uses slightly
+different rules.)
+
+We don't have to give `Helpers` a new name, though, if we don't want
+to. We can write `import Helpers = Helpers` to import the module under
+its own name; Dafny
+even provides the shorthand `import Helpers` for this behavior. You
+can't bind two modules with the same name at the same time, so
+sometimes you have to use the = version to ensure the names do not
+clash. When importing nested modules, `import B.C` means `import C = B.C`;
+the implicit name is always the last name segment of the module designation.
+
+The first identifier in the dot-separated sequence of identifers that constitute
+the qualified name of the module being imported is resolved as (in order)
+- a submodule of the importing module, 
+- or a sibling module of the importing module, 
+- or a sibling module of some containing module, traversing outward. 
+There is no way to refer to a containing module, only
+sibling modules (and their submodules).
+
+Import statements may occur at the top-level of a program
+(that is, in the implicit top-level module of the program) as well.
+There they serve as a way to give a new name, perhaps a
+shorthand name, to a module. For example,
+
+<!-- %check-resolve Modules.1.expect -->
+```dafny
+module MyModule { } // declare MyModule
+import MyModule  // error: cannot add a module named MyModule
+                 // because there already is one
+import M = MyModule // OK. M and MyModule are equivalent
+```
+
+## 4.4. Opening Modules {#sec-opening-modules}
+
+Sometimes, prefixing the members of the module you imported with its
+name is tedious and ugly, even if you select a short name when
+importing it. In this case, you can import the module as `opened`,
+which causes all of its members to be available without adding the
+module name. The `opened` keyword, if present, must immediately follow `import`.
+For example, we could write the previous example as:
+
+<!-- %check-verify -->
+```dafny
+module Helpers {
+  function addOne(n: nat): nat {
+    n + 1
+  }
+}
+module Mod {
+  import opened Helpers
+  method m() {
+    assert addOne(5) == 6;
+  }
+}
+```
+
+When opening modules, the newly bound members have lower priority
+than local definitions. This means if you define
+a local function called `addOne`, the function from `Helpers` will no
+longer be available under that name. When modules are opened, the
+original name binding is still present however, so you can always use
+the name that was bound to get to anything that is hidden.
+
+<!-- %check-verify Modules.2.expect -->
+```dafny
+module Helpers {
+  function addOne(n: nat): nat {
+    n + 1
+  }
+}
+module Mod {
+  import opened H = Helpers
+  function addOne(n: nat): nat {
+    n - 1
+  }
+  method m() {
+    assert addOne(5) == 6; // this is now false,
+                           // as this is the function just defined
+    assert H.addOne(5) == 6; // this is still true
+  }
+}
+```
+
+If you open two modules that both declare members with the same name,
+then neither member can be referred to without a module prefix, as it
+would be ambiguous which one was meant. Just opening the two modules
+is not an error, however, as long as you don't attempt to use members
+with common names. However, if the ambiguous references actually
+refer to the same declaration, then they are permitted.
+The `opened` keyword may be used with any kind of
+`import` declaration, including the module abstraction form.
+
+An `import opened` may occur at the top-level as well. For example,
+<!-- %check-resolve -->
+```dafny
+module MyModule {  } // declares MyModule
+import opened MyModule // does not declare a new module, but does
+                       // make all names in MyModule available in
+                       // the current scope, without needing
+                       // qualification
+import opened M = MyModule // names in MyModule are available in
+                       // the current scope without qualification
+                       // or qualified with either M (because of this
+                       // import) or MyModule (because of the original
+                       // module definition)
+```
+
+The Dafny style guidelines suggest using opened imports sparingly.
+They are best used when the names being imported have obvious
+and unambiguous meanings and when using qualified names would be
+verbose enough to impede understanding.
+
+There is a special case in which the behavior described above is altered.
+If a module `M` declares a type `M` and `M` is `import opened` without renaming inside 
+another module `X`, then the rules above would have, within `X`,
+`M` mean the module and `M.M` mean the type. This is verbose. So in this 
+somewhat common case, the type `M` is effectively made a local declaration within `X`
+so that it has precedence over the module name. Now `M` refers to the type.
+If one needs to refer to the module, it will have to be renamed as part of
+the `import opened` statement.	
+
+This special-case behavior does give rise to a source of ambiguity. Consider
+the example
+<!-- %check-resolve Modules.3.expect -->
+```dafny
+module Option {
+  const a := 1
+  datatype Option = A|B { static const a := 2 }
+}
+
+module X {
+  import opened Option
+  method M() { print Option.a; }
+}
+```
+`Option.a` now means the `a` in the datatype instead of the `a` in the module.
+To avoid confusion in such cases, it is an ambiguity error if a name
+that is declared in both the datatype and the module is used
+when there is an `import open` of
+the module (without renaming).
+
+## 4.5. Export Sets and Access Control ([grammar](#g-module-export)) {#sec-export-sets}
+
+Examples:
+<!-- %no-check -->
+```dafny
+export E extends F reveals f,g provides g,h
+export E reveals *
+export reveals f,g provides g,h
+export E
+export E ... reveals f
+```
+
+In some programming languages, keywords such as `public`, `private`, and `protected`
+are used to control access to (that is, visibility of) declared program entities.
+In Dafny, modules and export sets provide that capability.
+Modules combine declarations into logically related groups.
+Export sets then permit selectively exposing subsets of a module's declarations;
+another module can import the export set appropriate to its needs.
+A user can define as many export sets as are needed to provide different
+kinds of access to the module's declarations.
+Each export set designates a list of names, which must be
+names that are declared in the module (or in a refinement parent).
+
+By default (in the absence of any export set declarations)
+all the names declared in a module are available outside the
+module using the `import` mechanism.
+An _export set_ enables a module to disallow the
+use of some declarations outside the module.
+
+An export set has an optional name used to disambiguate
+in case of multiple export sets;
+If specified, such names are used in `import` statements
+to designate which export set of a module is being imported.
+If a module `M` has export sets `E1` and `E2`,
+we can write ``import A = M`E1`` to create a module alias
+`A` that contains only the names in `E1`.
+Or we can write ``import A = M`{E1,E2}`` to import the union
+of names in `E1` and `E2` as module alias `A`.
+As before, ``import M`E1`` is an abbreviation of ``import M = M`E1``.
+
+If no export set is given in an import
+statement, the default export set of the module is used.
+
+ There are various
+defaults that apply differently in different cases.
+The following description is with respect to an example module `M`:
+
+_`M` has no export sets declared_. Then another module may simply `import Z = M`
+to obtain access to all of M's declarations.
+
+_`M` has one or more named export sets (e.g., `E`, `F`)_. Then another module can
+write ``import Z = M`E`` or ``import Z = M`{E,F}`` to obtain access to the
+names that are listed in export set `E` or to the union of those in export sets
+`E` and `F`, respectively. If no export set has the same name as the module,
+then an export set designator must be used: in that case you cannot write
+simply ``import Z = M``.
+
+_`M` has an unnamed export set, along with other export sets (e.g., named `E`)_. The unnamed
+export set is the default export set and implicitly has the same name as
+the module. Because there is a default export set, another module may write
+either ``import Z = M`` or ``import Z = M`M`` to import the names in that
+default export set. You can also still use the other export sets with the
+explicit designator: ``import Z = M`E``
+
+_`M` declares an export set with the same name as the module_. This is equivalent
+to declaring an export set without a name. ``import M`` and ``import M`M``
+perform the same function in either case; the export set with or without
+the name of the module is the default export set for the module.
+
+Note that names of module aliases (declared by import statements) are
+just like other names in a module; they can be included or omitted from
+export sets.
+Names brought into a module by [_refinement_](#sec-module-refinement) are treated the same as
+locally declared names and can be listed in export set declarations.
+However, names brought into a module by `import opened` (either into a module
+or a refinement parent of a module) may
+not be further exported. For example,
+<!-- %check-verify -->
+```dafny
+module A {
+  const a := 10
+  const z := 10
+}
+module B {
+  import opened Z = A // includes a, declares Z
+  const b := Z.a // OK
+}
+module C {
+  import opened B // includes b, Z, but not a
+  method m() {
+    //assert b == a; // error: a is not known
+    //assert b == B.a; // error: B.a is not valid
+    //assert b == A.a; // error: A is not known
+    assert b == Z.a; // OK: module Z is known and includes a
+  }
+}
+```
+
+However, in the above example,
+
+* if `A` has one export set `export Y reveals a`
+then the import in module `B` is invalid because `A` has no default
+export set;
+* if `A` has one export set `export Y reveals a` and `B` has ``import Z = A`Y``
+then `B`'s import is OK. So is the use of `Z.a` in the assert because `B`
+declares `Z` and `C` brings in `Z` through the `import opened` and
+`Z` contains `a` by virtue of its declaration. (The alias `Z` is not able to
+have export sets; all of its names are visible.)
+* if `A` has one export set `export provides z` then `A` does have a
+default export set, so the import in `B` is OK, but neither the use of `a`
+in `B` nor as `Z.a` in C would be valid, because `a` is not in `Z`.
+
+The default export set is important in the resolution of qualified
+names, as described in [Section 4.8](#sec-name-resolution).
+
+There are a few unusual cases to be noted:
+- an export set can be completely empty, as in `export Nothing`
+- an eponymous export set can be completely empty, as in `export`, which by default has the same name as the enclosing module; this is a way to make the module completely private
+- an export set declaration followed by an extreme predicate declaration looks like this:
+`export least predicate P() { true }`
+In this case, the `least` (or `greatest`) is the identifier naming the export set.
+Consequently, `export least predicate P[nat]() { true }` is illegal because `[nat]` cannot be part of a non-extreme predicate.
+So, it is not possible to declare an eponymous, empty export set by omitting the export id immediately prior to a declaration of an extreme predicate,
+because the `least` or `greatest` token is parsed as the export set identifier. The workaround for this situation is to 
+either put the name of the module in explicitly as the export ID (not leaving it to the default) or reorder the declarations.
+- To avoid confusion, the code
+<!-- %check-verify-warn Modules.10.expect -->
+```dafny
+module M {
+  export
+  least predicate P() { true }
+}
+```
+provokes a warning telling the user that the `least` goes with the `export`.
+
+### 4.5.1. Provided and revealed names {#sec-provided-and-revealed-names}
+
+Names can be exported from modules in two ways, designated by `provides`
+and `reveals` in the export set declaration.
+
+When a name is exported as _provided_, then inside a module that has
+imported the name only the name is known, not the details of the
+name's declaration.
+
+For example, in the following code the constant `a` is exported as provided.
+<!-- %check-verify Modules.4.expect -->
+```dafny
+module A {
+  export provides a
+  const a := 10
+  const b := 20
+}
+
+module B {
+  import A
+  method m() {
+    assert A.a == 10; // a is known, but not its value
+    // assert A.b == 20; // b is not known through A`A
+  }
+}
+```
+Since `a` is imported into module `B` through the default export set ``A`A``,
+it can be referenced in the assert statement. The constant `b` is not
+exported, so it is not available. But the assert about `a` is not provable
+because the value of `a` is not known in module `B`.
+
+In contrast, if `a` is exported as _revealed_, as shown in the next example,
+its value is known and the assertion can be proved.
+<!-- %check-verify -->
+```dafny
+module A {
+  export reveals a
+  const a := 10
+  const b := 20
+}
+
+module B {
+  import A
+  method m() {
+    assert A.a == 10; // a and its value are known
+    // assert A.b == 20; // b is not known through A`A
+  }
+}
+```
+
+The following table shows which parts of a declaration are exported by an
+export set that `provides` or `reveals` the declaration.
+
+```text
+ declaration         | what is exported    | what is exported
+                     | with provides       | with reveals
+---------------------|---------------------|---------------------
+ const x: X := E     | const x: X          | const x: X := E
+---------------------|---------------------|---------------------
+ var x: X            | var x: X            | not allowed
+---------------------|---------------------|---------------------
+ function F(x: X): Y | function F(x: X): Y | function F(x: X): Y
+   specification...  |   specification...  |   specification...
+ {                   |                     | {
+   Body              |                     |   Body
+ }                   |                     | }
+---------------------|---------------------|---------------------
+ method M(x: X)      | method M(x: X)      | not allowed
+   returns (y: Y)    |   returns (y: Y)    |
+   specification...  |   specification...  |
+ {                   |                     |
+   Body;             |                     |
+ }                   |                     |
+---------------------|---------------------|---------------------
+ type Opaque         | type Opaque         | type Opaque
+ {                   |                     |
+   // members...     |                     |
+ }                   |                     |
+---------------------|---------------------|---------------------
+ type Synonym = T    | type Synonym        | type Synonym = T
+---------------------|---------------------|---------------------
+ type S = x: X       | type S              | type S = x: X
+   | P witness E     |                     |   | P witness E
+---------------------|---------------------|---------------------
+ newtype N = x: X    | type N              | newtype N = x: X
+   | P witness E     |                     |   | P witness E
+ {                   |                     |
+   // members...     |                     |
+ }                   |                     |
+```
+```text
+---------------------|---------------------|---------------------
+ datatype D =        | type D              | datatype D =
+     Ctor0(x0: X0)   |                     |    Ctor0(x0: X0)
+   | Ctor1(x1: X1)   |                     |  | Ctor1(x1: X1)
+   | ...             |                     |  | ...
+ {                   |                     |
+   // members...     |                     |
+ }                   |                     |
+---------------------|---------------------|---------------------
+ class Cl            | type Cl             | class Cl
+   extends T0, ...   |                     |   extends T0, ...
+ {                   |                     | {
+   constructor ()    |                     |   constructor ()
+     spec...         |                     |     spec...
+   {                 |                     |
+     Body;           |                     |
+   }                 |                     |
+   // members...     |                     |
+ }                   |                     | }
+---------------------|---------------------|---------------------
+ trait Tr            | type Tr             | trait Tr
+   extends T0, ...   |                     |   extends T0, ...
+ {                   |                     |
+   // members...     |                     |
+ }                   |                     |
+---------------------|---------------------|---------------------
+ iterator Iter(x: X) | type Iter           | iterator Iter(x: X)
+   yields (y: Y)     |                     |   yields (y: Y)
+   specification...  |                     |   specification...
+ {                   |                     |
+   Body;             |                     |
+ }                   |                     |
+---------------------|---------------------|---------------------
+ module SubModule    | module SubModule    | not allowed
+   ...               |   ...               |
+ {                   | {                   |
+   export SubModule  |   export SubModule  |
+     ...             |     ...             |
+   export A ...      |                     |
+   // decls...       |   // decls...       |
+ }                   | }                   |
+---------------------|---------------------|---------------------
+ import L = MS       | import L = MS       | not allowed
+---------------------|---------------------|---------------------
+```
+
+Variations of functions (e.g., `predicate`, `twostate function`) are
+handled like `function` above, and variations of methods (e.g.,
+`lemma` and `twostate lemma`) are treated like `method` above. Since
+the whole signature is exported, a function or method is exported to
+be of the same kind, even through `provides`. For example, an exported
+`twostate lemma` is exported as a `twostate lemma` (and thus is known
+by importers to have two implicit heap parameters), and an exported
+`least predicate P` is exported as a `least predicate P` (and thus
+importers can use both `P` and its prefix predicate `P#`).
+
+If `C` is a `class`, `trait`, or `iterator`, then `provides C` exports
+the non-null reference type `C` as an abstract type. This does not reveal
+that `C` is a reference type, nor does it export the nullable type `C?`.
+
+In most cases, exporting a `class`, `trait`, `datatype`, `codatatype`, or
+abstract type does not automatically export its members. Instead, any member
+to be exported must be listed explicitly. For example, consider the type
+declaration
+
+<!-- %check-resolve -->
+```dafny
+trait Tr {
+  function F(x: int): int { 10 }
+  function G(x: int): int { 12 }
+  function H(x: int): int { 14 }
+}
+```
+
+An export set that contains only `reveals Tr` has the effect of exporting
+
+<!-- %check-resolve -->
+```dafny
+trait Tr {
+}
+```
+
+and an export set that contains only `provides Tr, Tr.F reveals Tr.H` has
+the effect of exporting
+
+<!-- %check-resolve -->
+```dafny
+type Tr {
+  function F(x: int): int
+  function H(x: int): int { 14 }
+}
+```
+
+There is no syntax (for example, `Tr.*`) to export all members of a type.
+
+Some members are exported automatically when the type is revealed.
+Specifically:
+- Revealing a `datatype` or `codatatype` automatically exports the type's
+  discriminators and destructors.
+- Revealing an `iterator` automatically exports the iterator's members.
+- Revealing a class automatically exports the class's anonymous constructor, if any.
+
+For a `class`, a `constructor` member can be exported only if the class is revealed.
+For a `class` or `trait`, a `var` member can be exported only if the class or trait is revealed
+(but a `const` member can be exported even if the enclosing class or trait is only provided).
+
+When exporting a sub-module, only the sub-module's eponymous export set is exported.
+There is no way for a parent module to export any other export set of a sub-module, unless
+it is done via an `import` declaration of the parent module.
+
+The effect of declaring an import as `opened` is confined to the importing module. That
+is, the ability of use such imported names as unqualified is not passed on to further
+imports, as the following example illustrates:
+
+<!-- %check-resolve Modules.5.expect -->
+```dafny
+module Library {
+  const xyz := 16
+}
+
+module M {
+  export
+    provides Lib
+    provides xyz // error: 'xyz' is not declared locally
+
+  import opened Lib = Library
+
+  const k0 := Lib.xyz
+  const k1 := xyz
+}
+
+module Client {
+  import opened M
+
+  const a0 := M.Lib.xyz
+  const a1 := Lib.xyz
+  const a2 := M.xyz // error: M does not have a declaration 'xyz'
+  const a3 := xyz // error: unresolved identifier 'xyz'
+}
+```
+
+As highlighted in this example, module `M` can use `xyz` as if it were a local
+name (see declaration `k1`), but the unqualified name `xyz` is not made available
+to importers of `M` (see declarations `a2` and `a3`), nor is it possible for
+`M` to export the name `xyz`.
+
+A few other notes:
+
+* A `provides` list can mention `*`, which means that all local names
+  (except export set names) in the module are exported as `provides`.
+* A `reveals` list can mention `*`, which means that all local names
+  (except export set names) in the module are exported as `reveals`, if
+  the declaration is allowed to appear in a `reveals` clause, or as
+  `provides`, if the declaration is not allowed to appear in a `reveals`
+  clause.
+* If no export sets are declared, then the implicit
+  export set is `export reveals *`.
+* A refinement module acquires all the export sets from its refinement parent.
+* Names acquired by a module from its refinement parent are also subject to
+  export lists. (These are local names just like those declared directly.)
+
+### 4.5.2. Extends list {#sec-extends-list}
+An export set declaration may include an _extends_ list, which is a list of
+one or more export set names from the same module containing the declaration
+(including export set names obtained from a refinement parent).
+The effect is to include in the declaration the union of all the names in
+the export sets in the extends list, along with any other names explicitly
+included in the declaration. So for example in
+<!-- %check-resolve -->
+```dafny
+module M {
+  const a := 10
+  const b := 10
+  const c := 10
+  export A reveals a
+  export B reveals b
+  export C extends A, B
+    reveals c
+}
+```
+export set `C` will contain the names `a`, `b`, and `c`.
+
+## 4.6. Module Abstraction {#sec-module-abstraction}
+
+Sometimes, using a specific implementation is unnecessary; instead,
+all that is needed is a module that implements some interface.  In
+that case, you can use an _abstract_ module import. In Dafny, this is
+written `import A : B`.  This means bind the name `A` as before, but
+instead of getting the exact module `B`, you get any module which
+_adheres_ to `B`.  Typically, the module `B` may have abstract type
+definitions, classes with bodiless methods, or otherwise be unsuitable
+to use directly.  Because of the way refinement is defined, any
+refinement of `B` can be used safely. For example, suppose we start with
+these declarations:
+
+<!-- %check-verify -->
+```dafny
+abstract module Interface {
+  function addSome(n: nat): nat
+    ensures addSome(n) > n
+}
+abstract module Mod {
+  import A : Interface
+  method m() {
+    assert 6 <= A.addSome(5);
+  }
+}
+```
+
+We can be more precise if we know that `addSome` actually adds
+exactly one. The following module has this behavior. Further, the
+postcondition is stronger, so this is actually a refinement of the
+Interface module.
+
+<!-- %check-verify -->
+```dafny
+module Implementation {
+  function addSome(n: nat): nat
+    ensures addSome(n) == n + 1
+  {
+    n + 1
+  }
+}
+```
+
+We can then substitute `Implementation` for `A` in a new module, by
+declaring a refinement of `Mod` which defines  `A` to be `Implementation`.
+
+<!-- %check-build -->
+```dafny
+abstract module Interface {
+  function addSome(n: nat): nat
+    ensures addSome(n) > n
+}
+abstract module Mod {
+  import A : Interface
+  method m() {
+    assert 6 <= A.addSome(5);
+  }
+}
+module Implementation {
+  function addSome(n: nat): nat
+    ensures addSome(n) == n + 1
+  {
+    n + 1
+  }
+}
+module Mod2 refines Mod {
+  import A = Implementation
+  ...
+}
+```
+
+When you refine an abstract import into a concrete one
+Dafny checks that the concrete module is a
+refinement of the abstract one. This means that the methods must have
+compatible signatures, all the classes and datatypes with their
+constructors and fields in the abstract one must be present in the
+concrete one, the specifications must be compatible, etc.
+
+A module that includes an abstract import must be declared `abstract`.
+
+## 4.7. Module Ordering and Dependencies {#sec-module-ordering}
+
+Dafny isn't particular about the textual order in which modules are
+declared, but
+they must follow some rules to be well formed. In particular,
+there must be a way to order the modules in a program such that each
+only refers to things defined **before** it in the ordering. That
+doesn't mean the modules have to be given textually in that order in
+the source text. Dafny will
+figure out that order for you, assuming you haven't made any circular
+references. For example, this is pretty clearly meaningless:
+
+<!-- %check-resolve Modules.6.expect -->
+```dafny
+import A = B
+import B = A // error: circular
+```
+
+You can have import statements at the toplevel and you can import
+modules defined at the same level:
+
+<!-- %check-verify -->
+```dafny
+import A = B
+method m() {
+  A.whatever();
+}
+module B { method whatever() {} }
+```
+
+In this case, everything is well defined because we can put `B` first,
+followed by the `A` import, and then finally `m()`. If there is no
+permitted ordering, then Dafny will give an error, complaining about a cyclic
+dependency.
+
+Note that when rearranging modules and imports, they have to be kept
+in the same containing module, which disallows some pathological
+module structures. Also, the imports and submodules are always
+considered to be before their containing module, even at the toplevel. This means that the
+following is not well formed:
+
+<!-- %check-resolve Modules.7.expect -->
+```dafny
+method doIt() { }
+module M {
+  method m() {
+    doIt(); // error: M precedes doIt
+  }
+}
+```
+
+because the module `M` must come before any other kind of members, such
+as methods. To define global functions like this, you can put them in
+a module (called `Globals`, say) and open it into any module that needs
+its functionality. Finally, if you import via a path, such as `import A
+= B.C`, then this creates a dependency of `A` on `B`, and `B` itself
+depends on its own nested module `B.C`.
+
+## 4.8. Name Resolution {#sec-name-resolution}
+
+When Dafny sees something like `A<T>.B<U>.C<V>`, how does it know what each part
+refers to? The process Dafny uses to determine what identifier
+sequences like this refer to is name resolution. Though the rules may
+seem complex, usually they do what you would expect. Dafny first looks
+up the initial identifier. Depending on what the first identifier
+refers to, the rest of the identifier is looked up in the appropriate
+context.
+
+In terms of the grammar, sequences like the above are represented as
+a ``NameSegment`` followed by 0 or more ``Suffix``es.
+The form shown above contains three instances of
+``AugmentedDotSuffix_``.
+
+The resolution is different depending on whether it is in
+a module context, an expression context or a type context.
+
+### 4.8.1. Modules and name spaces
+
+A module is a collection of declarations, each of which has a name.
+These names are held in two namespaces.
+
+* The names of export sets
+* The names of all other declarations, including submodules and aliased modules
+
+In addition names can be classified as _local_ or _imported_.
+
+* Local declarations of a module are the declarations
+ that are explicit in the module and the
+local declarations of the refinement parent. This includes, for
+example, the `N` of `import N = ` in the refinement parent, recursively.
+* Imported names of a module are those brought in by `import opened` plus
+the imported names in the refinement parent.
+
+Within each namespace, the local names are unique. Thus a module may
+not reuse a name that a refinement parent has declared (unless it is a
+refining declaration, which replaces both declarations, as described
+in [Section 10](#sec-module-refinement)).
+
+Local names take precedence over imported names. If a name is used more than
+once among imported names (coming from different imports), then it is
+ambiguous to _use_ the name without qualification.
+
+### 4.8.2. Module Id Context Name Resolution
+
+A qualified name may be used to refer to a module in an import statement or a refines clause of a module declaration.
+Such a qualified name is resolved as follows, with respect to its syntactic
+location within a module `Z`:
+
+1. The leading identifier of the qualified name is resolved as a local or imported module name of `Z`, if there
+is one with a matching name. The target of a `refines` clause does not
+consider local names, that is, in `module Z refines A.B.C`, any contents of `Z`
+are not considered in finding `A`.
+
+2. Otherwise, it is resolved as a local or imported module name of the most enclosing module of `Z`,
+   iterating outward to each successive enclosing module until a match is
+found or the default toplevel module is reached without a match.
+No consideration of export sets, default or otherwise, is used in this step.
+However, if at any stage a matching name is found that is not a module
+declaration, the resolution fails. See the examples below.
+
+3a. Once the leading identifier is resolved as say module `M`, the next
+   identifier in the quallified name
+   is resolved as a local or imported module name within `M`.
+   The resolution is restricted to the default export set of `M`.
+
+3b. If the resolved module name is a module alias (from an `import` statement)
+   then the target of the alias is resolved as a new qualified name
+   with respect to its syntactic context (independent of any resolutions or
+modules so far). Since `Z` depends on `M`, any such alias target will
+already have been resolved, because modules are resolved in order of
+dependency.
+
+4. Step 3 is iterated for each identifier in the qualified module id,
+   resulting in a module that is the final resolution of the complete
+   qualified id.
+
+Ordinarily a module must be _imported_ in order for its constituent
+declarations to be visible inside a given module `M`. However, for the
+resolution of qualified names this is not the case.
+
+This example shows that the resolution of the refinement parent does not
+use any local names:
+<!-- %check-verify -->
+```dafny
+module A {
+  const a := 10
+}
+
+module B refines A { // the top-level A, not the submodule A
+  module A { const a := 30 }
+  method m() { assert a == 10; } // true
+}
+```
+In the example, the `A` in `refines A` refers to the global `A`, not the submodule `A`.
+
+
+### 4.8.3. Expression Context Name Resolution
+
+The leading identifier is resolved using the first following
+rule that succeeds.
+
+0. Local variables, parameters and bound variables. These are things like
+   `x`, `y`, and `i` in `var x;, ... returns (y: int)`, and
+   `forall i :: ....` The declaration chosen is the match from the
+   innermost matching scope.
+
+1. If in a class, try to match a member of the class. If the member that
+   is found is not static an implicit `this` is inserted. This works for
+   fields, functions, and methods of the current class (if in a static
+   context, then only static methods and functions are allowed). You can
+   refer to fields of the current class either as `this.f` or `f`,
+   assuming of course that `f` is not hidden by one of the above. You
+   can always prefix `this` if needed, which cannot be hidden. (Note that a
+   field whose name is a string of digits must always have some prefix.)
+
+2. If there is no ``Suffix``, then look for a datatype constructor, if
+   unambiguous. Any datatypes that don't need qualification (so the
+   datatype name itself doesn't need a prefix) and also have a uniquely
+   named constructor can be referred to just by name.  So if
+   `datatype List = Cons(List) | Nil` is the only datatype that declares
+   `Cons` and `Nil` constructors, then you can write `Cons(Cons(Nil))`.
+   If the constructor name is not unique, then you need to prefix it with
+   the name of the datatype (for example `List.Cons(List.Nil)))`. This is
+   done per constructor, not per datatype.
+
+3. Look for a member of the enclosing module.
+
+4. Module-level (static) functions and methods
+
+In each module, names from opened modules are also potential matches, but
+only after names declared in the module.
+If an ambiguous name is found or a name of the wrong kind (e.g. a module
+instead of an expression identifier), an error is generated, rather than continuing
+down the list.
+
+After the first identifier, the rules are basically the
+same, except in the new context. For example, if the first identifier is
+a module, then the next identifier looks into that module. Opened modules
+only apply within the module it is opened into. When looking up into
+another module, only things explicitly declared in that module are
+considered.
+
+To resolve expression `E.id`:
+
+First resolve expression E and any type arguments.
+
+* If `E` resolved to a module `M`:
+  0. If `E.id<T>` is not followed by any further suffixes, look for
+     unambiguous datatype constructor.
+  1. Member of module M: a sub-module (including submodules of imports),
+     class, datatype, etc.
+  2. Static function or method.
+* If `E` denotes a type:
+  3. Look up id as a member of that type
+* If `E` denotes an expression:
+  4. Let T be the type of E. Look up id in T.
+
+### 4.8.4. Type Context Name Resolution
+
+In a type context the priority of identifier resolution is:
+
+1. Type parameters.
+
+2. Member of enclosing module (type name or the name of a module).
+
+To resolve expression `E.id`:
+
+* If `E` resolved to a module `M`:
+  0. Member of module M: a sub-module (including submodules of imports),
+     class, datatype, etc.
+* If `E` denotes a type:
+  1. Then the validity and meaning of `id` depends on the type and
+     must be a user-declared or pre-defined member of the type.
diff --git a/v4.10.0/DafnyRef/Numbers.java b/v4.10.0/DafnyRef/Numbers.java
new file mode 100644
index 0000000..a1425cf
--- /dev/null
+++ b/v4.10.0/DafnyRef/Numbers.java
@@ -0,0 +1,158 @@
+// This program inserts section numbers into a .md document (replacing
+// any that are there). It also puts in the section numbers in
+// cross-reference links.
+// A heading line consists of: one or more #, a dotted section number,
+// the section title, and the reference {#sec-name}
+// A section cross-reference is: [Section 0](#sec-name)
+
+import java.nio.file.*;
+import java.util.*;
+import java.io.*;
+import java.util.regex.*;
+
+public class Numbers {
+
+  public static Pattern inc = Pattern.compile("\\{%\\s+include(_relative)?\\s+([\\w.\\d/_-]+)");
+  public static Pattern sec = Pattern.compile("^[ \\t0-9\\.]*([#]+)\\h+(\\D|((\\d+\\.)+))");
+  public static Pattern ref = Pattern.compile("\\{#([\\w-]+)\\}");
+  public static Pattern cite = Pattern.compile("\\(#([\\w-]+)\\)");
+  public static Pattern seccite = Pattern.compile("(\\[Section [\\d\\.]+\\])\\(#([\\w-]+)\\)");
+  public static Pattern id = Pattern.compile("id=\"([a-zA-Z-]*)\"");
+
+  public static Set<String> cites = new HashSet<>();
+  public static Map<String,String> labels = new HashMap<>();
+
+  public static int[] counts = new int[100];
+  public static int depth = 0;
+  public static boolean replace = false;
+  public static boolean verbose = false;
+
+  public static void main(String[] args) {
+    int i = 0;
+    if (i < args.length && args[i].equals("-v")) { verbose = true; i++; }
+    if (i < args.length && args[i].equals("-r")) { replace = true; i++; }
+    process(args[i], false);
+    if (replace) {
+      depth = 0; counts = new int[100];
+      process(args[i], true);
+    }
+
+
+    if (verbose) System.out.println("Number of cites: " + cites.size());
+    //for (String s: cites) System.out.println("   " + s);
+    if (verbose) System.out.println("Number of labels: " + labels.size());
+    for (String s: cites) {
+      if (!labels.containsKey(s)) System.out.println(" No label: " + s);
+    }
+}
+
+public static String num() {
+  String s = "";
+  for (int k=0; k < depth; k++) s = s + counts[k] + '.';
+  return s;
+}
+
+public static void process(String file, boolean replace) {
+  if (verbose) System.out.println("Opening " + file);
+  try (FileReader f = new FileReader(file);
+       BufferedReader r = new BufferedReader(f)) {
+    PrintWriter w = null;
+    if (replace) w = new PrintWriter(new BufferedWriter(new FileWriter(file + ".tmp")));
+
+    String line;
+    // For the first line, we read it manually.
+    line = "";
+    char c;
+    while((c = (char)r.read()) != '\0' && c != '\n' && c != '\r') {
+      line = line + (char)c;
+    }
+    // Get the newline character by reading the file itself
+    String newlineChar = c == '\n' ? "\n" : "\r\n";
+    boolean first = true;
+    while ((line = first ? line : r.readLine()) != null) {
+      // Get the newline character by reading the file itself
+      first = false;
+
+      String out = line;
+      Matcher mid = id.matcher(line);
+      if (mid.find()) {
+          String label = mid.group(1);
+          labels.put(label,"0");
+      }
+      Matcher m = inc.matcher(line);
+      if (m.find()) {
+        if (replace) w.print(line + newlineChar);
+        String rel = m.group(1);
+        String newfile = m.group(2);
+        if (newfile.endsWith(".md")) {
+          String fn = rel == null ? "../_includes/" + newfile : newfile ;
+          process(fn, replace);
+        }
+        continue;
+      }
+      m = sec.matcher(line);
+      if (m.find() && m.start() == 0) {
+        String hashes = m.group(1);
+        String digits = m.group(3);
+        int textpos = m.end(1);
+        if (digits != null) textpos = m.end(3);
+        int k = hashes.length();
+        while (depth > k) counts[--depth] = 0;
+        if (k > depth+1) System.out.println("Skipping a level");
+        if (k > depth) ++depth;
+        counts[depth-1]++;
+        String n = num();
+        if (digits != null && !n.equals(digits)) System.out.println("number mismatch " + digits + " vs. " + n);
+        m = ref.matcher(line);
+        if (m.find()) {
+          String refname = m.group(1);
+          if (verbose) System.out.println("    " + refname + " : " + n);
+          labels.put(refname,n);
+        }
+        out = (hashes + " " + n + line.substring(textpos));
+        if (verbose) {
+          System.out.println(out);
+        }
+      }
+      if (!replace) {
+        m = cite.matcher(out);
+        if (m.find()) {
+          String s = m.group(1);
+          cites.add(s);
+        }
+      } else {
+        m = seccite.matcher(out);
+        int q = -1;
+        while (m.find(q+1)) {
+          String s = m.group(1);
+          String ref = m.group(2);
+          String num = labels.get(ref);
+          if (num == null) {
+             System.out.println("No match for " + ref);
+             break;
+          } else {
+             q = m.start();
+             int e = m.end();
+             String nn =  "[Section " + num.substring(0,num.length()-1) + "](#" + ref + ")";
+             if (verbose) System.out.println(nn + " <== " + out.substring(q,e));
+             out = out.substring(0,q) + nn + out.substring(e);
+             m = seccite.matcher(out);
+          }
+        }
+      }
+      if (replace) w.print(out + newlineChar);
+    }
+    if (w != null) {
+      w.close();
+      f.close();
+      Path a = FileSystems.getDefault().getPath(file + ".tmp");
+      Path b = FileSystems.getDefault().getPath(file);
+      Files.move(a,b, StandardCopyOption.REPLACE_EXISTING);
+    }
+  } catch (Exception e) {
+    System.out.println(e.getMessage());
+  }
+  if (verbose) System.out.println("Closing " + file);
+}
+
+}
diff --git a/v4.10.0/DafnyRef/Options.txt b/v4.10.0/DafnyRef/Options.txt
new file mode 100644
index 0000000..7c3402d
--- /dev/null
+++ b/v4.10.0/DafnyRef/Options.txt
@@ -0,0 +1,767 @@
+```
+Use 'dafny --help' to see help for the new Dafny CLI format.
+Usage: dafny [ option ... ] [ filename ... ]
+
+  ---- General options -------------------------------------------------------
+
+  /version      print the dafny version number
+  /help         print this message
+  /attrHelp     print a message about supported declaration attributes
+  /env:<n>      print command line arguments
+                  0 - never, 1 (default) - during BPL print and prover log,
+                  2 - like 1 and also to standard output
+  /printVerifiedProceduresCount:<n>
+                0 - no
+                1 (default) - yes
+  /wait         await Enter from keyboard before terminating program
+  /xml:<file>   also produce output in XML format to <file>
+
+  All the .dfy files supplied on the command line along with files recursively
+  included by 'include' directives are considered a single Dafny program;
+  however only those files listed on the command line are verified.
+  
+  Exit code: 0 -- success; 1 -- invalid command-line; 2 -- parse or type errors;
+             3 -- compilation errors; 4 -- verification errors
+  
+  ---- Input configuration ---------------------------------------------------
+  
+  /dprelude:<file>
+      Choose the Dafny prelude file.
+
+  /stdin
+      Read standard input and treat it as an input .dfy file.
+  
+  ---- Plugins ---------------------------------------------------------------
+  
+  ---- Overall reporting and printing ----------------------------------------
+  
+  /showSnippets:<value>
+      0 (default) - Don't show source code snippets for Dafny messages.
+      1 - Show a source code snippet for each Dafny message.
+
+  /stats
+      Print interesting statistics about the Dafny files supplied.
+  
+  /printIncludes:<None|Immediate|Transitive>
+      None (default) - Print nothing.
+      Immediate - Print files included by files listed on the command line.
+      Transitive - Recurses on the files printed by Immediate.
+  
+      Immediate and Transitive will exit after printing.
+  
+  /view:<view1, view2>
+      Print the filtered views of a module after it is resolved (/rprint).
+      If print before the module is resolved (/dprint), then everything in
+      the module is printed. If no view is specified, then everything in
+      the module is printed.
+  /funcCallGraph
+      Print out the function call graph. Format is: func,mod=callee*
+  
+  /pmtrace
+      Print pattern-match compiler debug info.
+  
+  /printTooltips
+      Dump additional positional information (displayed as mouse-over
+      tooltips by the VS Code plugin) to stdout as 'Info' messages.
+  
+  /diagnosticsFormat:<text|json>
+      Choose how to report errors, warnings, and info messages.
+      text (default) - Use human readable output
+      json - Print each message as a JSON object, one per line.
+  
+  ---- Language feature selection --------------------------------------------
+  
+  /defaultFunctionOpacity:<value>
+      Change the default opacity of functions. 
+      `transparent` (default) means functions are transparent, can be manually made opaque and then revealed. 
+      `autoRevealDependencies` makes all functions not explicitly labelled as opaque to be opaque but reveals them automatically in scopes which do not have `{:autoRevealDependencies false}`. 
+      `opaque` means functions are always opaque so the opaque keyword is not needed, and functions must be revealed everywhere needed for a proof.
+
+  /readsClausesOnMethods:<value>
+      0 (default) - Reads clauses on methods are forbidden.
+      1 - Reads clauses on methods are permitted (with a default of 'reads *').
+
+  /standardLibraries:<value>
+      0 (default) - Do not allow Dafny code to depend on the standard libraries included with the Dafny distribution.
+      1 - Allow Dafny code to depend on the standard libraries included with the Dafny distribution.
+      See https://github.com/dafny-lang/dafny/blob/master/Source/DafnyStandardLibraries/README.md for more information.
+      Not compatible with the /unicodeChar:0 option.
+
+  /noIncludes
+      Ignore include directives.
+  
+  /noExterns
+      Ignore extern attributes.
+  
+  /functionSyntax:<version>
+      The syntax for functions is changing from Dafny version 3 to version
+      4. This switch gives early access to the new syntax, and also
+      provides a mode to help with migration.
+  
+      3 - Compiled functions are written `function method` and
+          `predicate method`. Ghost functions are written `function` and
+          `predicate`.
+      4 (default) - Compiled functions are written `function` and `predicate`. Ghost
+          functions are written `ghost function` and `ghost predicate`.
+      migration3to4 - Compiled functions are written `function method` and
+          `predicate method`. Ghost functions are written `ghost function`
+          and `ghost predicate`. To migrate from version 3 to version 4,
+          use this flag on your version 3 program. This will give flag all
+          occurrences of `function` and `predicate` as parsing errors.
+          These are ghost functions, so change those into the new syntax
+          `ghost function` and `ghost predicate`. Then, start using
+          /functionSyntax:4. This will flag all occurrences of `function
+          method` and `predicate method` as parsing errors. So, change
+          those to just `function` and `predicate`. Now, your program uses
+          version 4 syntax and has the exact same meaning as your previous
+          version 3 program.
+      experimentalDefaultGhost - Like migration3to4, but allow `function`
+          and `predicate` as alternatives to declaring ghost functions and
+          predicates, respectively.
+      experimentalDefaultCompiled - Like migration3to4, but allow
+          `function` and `predicate` as alternatives to declaring compiled
+          functions and predicates, respectively.
+      experimentalPredicateAlwaysGhost - Compiled functions are written
+          `function`. Ghost functions are written `ghost function`.
+          Predicates are always ghost and are written `predicate`.
+  
+  /quantifierSyntax:<version>
+      The syntax for quantification domains is changing from Dafny version
+      3 to version 4, more specifically where quantifier ranges (|
+      <Range>) are allowed. This switch gives early access to the new
+      syntax.
+  
+      3 - Ranges are only allowed after all quantified variables
+          are declared. (e.g. set x, y | 0 <= x < |s| && y in s[x] && 0 <=
+          y :: y)
+      4 (default) - Ranges are allowed after each quantified variable declaration.
+          (e.g. set x | 0 <= x < |s|, y <- s[x] | 0 <= y :: y)
+  
+      Note that quantifier variable domains (<- <Domain>) are available in
+      both syntax versions.
+  
+  /disableScopes
+      Treat all export sets as 'export reveal *'. i.e. don't hide function
+      bodies or type definitions during translation.
+  
+  ---- Warning selection -----------------------------------------------------
+  
+  /warnShadowing
+      Emits a warning if the name of a declared variable caused another
+      variable to be shadowed.
+  
+  /warnMissingConstructorParenthesis
+      Emits a warning when a constructor name in a case pattern is not
+      followed by parentheses.
+  
+  /deprecation:<n>
+      0 - Don't give any warnings about deprecated features.
+      1 (default) - Show warnings about deprecated features.
+  
+  /warningsAsErrors
+      Treat warnings as errors.
+  
+  ---- Verification options -------------------------------------------------
+  
+  /allowAxioms:<value>
+      Prevents a warning from being generated for axioms, such as assume statements and functions or methods without a body, that don't have an {:axiom} attribute.
+
+  /verificationLogger:<configuration>
+      Logs verification results using the given test result format. The currently supported formats are `trx`, `csv`, and `text`. These are: the XML-based format commonly used for test results for .NET languages, a custom CSV schema, and a textual format meant for human consumption. You can provide configuration using the same string format as when using the --logger option for dotnet test, such as: --format "trx;LogFileName=<...>");
+      
+      The `trx` and `csv` formats automatically choose an output file name by default, and print the name of this file to the console. The `text` format prints its output to the console by default, but can send output to a file given the `LogFileName` option.
+      
+      The `text` format also includes a more detailed breakdown of what assertions appear in each assertion batch. When combined with the isolate-assertions option, it will provide approximate time and resource use costs for each assertion, allowing identification of especially expensive assertions.
+
+  /dafnyVerify:<n>
+      0 - Stop after resolution and typechecking.
+      1 - Continue on to verification and compilation.
+  
+  /verifyAllModules
+      Verify modules that come from an include directive.
+  
+  /emitUncompilableCode
+      Allow compilers to emit uncompilable code that usually contain useful
+      information about what feature is missing, rather than
+      stopping on the first problem
+  
+  /separateModuleOutput
+      Output verification results for each module separately, rather than
+      aggregating them after they are all finished.
+  
+  /noCheating:<n>
+      0 (default) - Allow assume statements and free invariants.
+      1 - Treat all assumptions as asserts, and drop free.
+  
+  /induction:<n>
+      0 - Never do induction, not even when attributes request it.
+      1 - Only apply induction when attributes request it.
+      2 - Apply induction as requested (by attributes) and also for
+          heuristically chosen quantifiers.
+      3 - Apply induction as requested, and for heuristically chosen
+          quantifiers and lemmas.
+      4 (default) - Apply induction as requested, and for lemmas.
+  
+  /inductionHeuristic:<n>
+      0 - Least discriminating induction heuristic (that is, lean toward
+          applying induction more often).
+      1,2,3,4,5 - Levels in between, ordered as follows as far as how
+          discriminating they are: 0 < 1 < 2 < (3,4) < 5 < 6.
+      6 (default) - Most discriminating.
+  
+  /trackPrintEffects:<n>
+      0 (default) - Every compiled method, constructor, and iterator,
+         whether or not it bears a {:print} attribute, may have print
+         effects.
+      1 - A compiled method, constructor, or iterator is allowed to have
+         print effects only if it is marked with {:print}.
+  
+  /definiteAssignment:<n>
+      0 - Ignores definite-assignment rules. This mode is for testing
+          only--it is not sound.
+      1 (default) - Enforces definite-assignment rules for compiled
+          variables and fields whose types do not support
+          auto-initialization, and for ghost variables and fields whose
+          type is possibly empty.
+      2 - Enforces definite-assignment for all non-yield-parameter
+          variables and fields, regardless of their types.
+      3 - Like 2, but also performs checks in the compiler that no
+          nondeterministic statements are used; thus, a program that
+          passes at this level 3 is one that the language guarantees that
+          values seen during execution will be the same in every run of
+          the program.
+      4 - Like 1, but enforces definite assignment for all local variables
+          and out-parameters, regardless of their types. (Whether or not
+          fields and new arrays are subject to definite assignments depends
+          on their types.)
+  
+  /noAutoReq
+      Ignore autoReq attributes.
+  
+  /autoReqPrint:<file>
+      Print out requirements that were automatically generated by autoReq.
+  
+  /noNLarith
+      Reduce Z3's knowledge of non-linear arithmetic (*,/,%).
+  
+      Results in more manual work, but also produces more predictable
+      behavior. (This switch will perhaps be replaced by /arith in the
+      future. For now, it takes precedence of /arith.)
+  
+  /arith:<n>
+      (experimental) Adjust how Dafny interprets arithmetic operations.
+  
+      0 - Use Boogie/Z3 built-ins for all arithmetic operations.
+      1 (default) - Like 0, but introduce symbolic synonyms for *,/,%, and
+          allow these operators to be used in triggers.
+      2 - Like 1, but introduce symbolic synonyms also for +,-.
+      3 - Turn off non-linear arithmetic in the SMT solver. Still, use
+          Boogie/Z3 built-in symbols for all arithmetic operations.
+      4 - Like 3, but introduce symbolic synonyms for *,/,%, and allow
+          these operators to be used in triggers.
+      5 - Like 4, but introduce symbolic synonyms also for +,-.
+      6 - Like 5, and introduce axioms that distribute + over *.
+      7 - like 6, and introduce facts that associate literals arguments of *.
+      8 - Like 7, and introduce axiom for the connection between *,/,%.
+      9 - Like 8, and introduce axioms for sign of multiplication.
+      10 - Like 9, and introduce axioms for commutativity and
+          associativity of *.
+  
+  /autoTriggers:<n>
+      0 - Do not generate {:trigger} annotations for user-level
+          quantifiers.
+      1 (default) - Add a {:trigger} to each user-level quantifier.
+          Existing annotations are preserved.
+  
+  /rewriteFocalPredicates:<n>
+      0 - Don't rewrite predicates in the body of prefix lemmas.
+      1 (default) - In the body of prefix lemmas, rewrite any use of a
+          focal predicate P to P#[_k-1].
+  
+  /extractCounterexample
+      If verification fails, report a detailed counterexample for the
+      first failing assertion (experimental).
+  
+  ---- Compilation options ---------------------------------------------------
+  
+  /compileTarget:<language>
+      cs (default) - Compile to .NET via C#.
+      go - Compile to Go.
+      js - Compile to JavaScript.
+      java - Compile to Java.
+      py - Compile to Python.
+      cpp - Compile to C++.
+      dfy - Compile to Dafny.
+      
+      Note that the C++ backend has various limitations (see
+      Docs/Compilation/Cpp.md). This includes lack of support for
+      BigIntegers (aka int), most higher order functions, and advanced
+      features like traits or co-inductive types.
+
+  /library:<value>
+      The contents of this file and any files it includes can be referenced from other files as if they were included. 
+      However, these contents are skipped during code generation and verification.
+      This option is useful in a diamond dependency situation, 
+      to prevent code from the bottom dependency from being generated more than once.
+      The value may be a comma-separated list of files and folders.
+
+  /optimizeErasableDatatypeWrapper:<value>
+      0 - Include all non-ghost datatype constructors in the compiled code
+      1 (default) - In the compiled target code, transform any non-extern
+          datatype with a single non-ghost constructor that has a single
+          non-ghost parameter into just that parameter. For example, the type
+              datatype Record = Record(x: int)
+          is transformed into just 'int' in the target code.
+
+  /out:<file>
+      Specify the filename and location for the generated target language files.
+
+  /runAllTests:<n>
+      0 (default) - Annotates compiled methods with the {:test}
+              attribute such that they can be tested using a testing framework
+              in the target language (e.g. xUnit for C#).
+          1 - Emits a main method in the target language that will execute
+              every method in the program with the {:test} attribute. Cannot
+              be used if the program already contains a main method. Note that
+              /compile:3 or 4 must be provided as well to actually execute
+              this main method!
+
+  /compile:<n>
+      0 - Do not compile Dafny program.
+      1 (default) - Upon successful verification of the Dafny program,
+          compile it to the designated target language. (/noVerify
+          automatically counts as a failed verification.)
+      2 - Always attempt to compile Dafny program to the target language,
+          regardless of verification outcome.
+      3 - If there is a Main method and there are no verification errors
+          and /noVerify is not used, compiles program in memory (i.e.,
+          does not write an output file) and runs it.
+      4 - Like (3), but attempts to compile and run regardless of
+          verification outcome.
+  /Main:<name>
+      Specify the (fully-qualified) name of the method to use as the executable entry point.
+      Default is the method with the {:main} attribute, or else the method named 'Main'.
+      A Main method can have at most one (non-ghost) argument of type `seq<string>`
+  --args <arg1> <arg2> ...
+      When running a Dafny file through /compile:3 or /compile:4, '--args' provides
+      all arguments after it to the Main function, at index starting at 1.
+      Index 0 is used to store the executable's name if it exists.
+  
+  /compileVerbose:<n>
+      0 - Don't print status of compilation to the console.
+      1 (default) - Print information such as files being written by the
+          compiler to the console.
+  
+  /spillTargetCode:<n>
+      Explicitly writes the code in the target language to one or more files.
+      This is not necessary to run a Dafny program, but may be of interest when
+      building multi-language programs or for debugging.
+  
+      0 (default) - Don't make any extra effort to write the textual
+          target program (but still compile it, if /compile indicates to
+          do so).
+      1 - Write the textual target program, if it is being compiled.
+      2 - Write the textual target program, provided it passes the
+          verifier (and /noVerify is NOT used), regardless of /compile
+          setting.
+      3 - Write the textual target program, regardless of verification
+          outcome and /compile setting.
+      Note, some compiler targets may (always or in some situations) write
+      out the textual target program as part of compilation, in which case
+      /spillTargetCode:0 behaves the same way as /spillTargetCode:1.
+  /coverage:<file>
+      The compiler emits branch-coverage calls and outputs into <file> a
+      legend that gives a description of each source-location identifier
+      used in the branch-coverage calls. (Use - as <file> to print to the
+      console.)
+  
+  /optimize
+      Produce optimized C# code by passing the /optimize flag to csc.exe.
+  
+  /optimizeResolution:<n>
+      0 - Resolve and translate all methods.
+      1 - Translate methods only in the call graph of current verification
+          target.
+      2 (default) - As in 1, but only resolve method bodies in
+          non-included Dafny sources.
+  /useRuntimeLib
+      Refer to a pre-built DafnyRuntime.dll in the compiled assembly
+      rather than including DafnyRuntime.cs verbatim.
+  
+  /testContracts:<Externs|TestedExterns>
+      Enable run-time testing of the compilable portions of certain function
+      or method contracts, at their call sites. The current implementation
+      focuses on {:extern} code but may support other code in the future.
+  
+      Externs - Check contracts on every call to a function or method marked
+          with the {:extern} attribute, regardless of where it occurs.
+      TestedExterns - Check contracts on every call to a function or method
+          marked with the {:extern} attribute when it occurs in a method
+          with the {:test} attribute, and warn if no corresponding test
+          exists for a given external declaration.
+  
+  ----------------------------------------------------------------------------
+  
+  Dafny generally accepts Boogie options and passes these on to Boogie.
+  However, some Boogie options, like /loopUnroll, may not be sound for
+  Dafny or may not have the same meaning for a Dafny program as it would
+  for a similar Boogie program.
+  
+  ---- Boogie options --------------------------------------------------------
+
+  Multiple .bpl files supplied on the command line are concatenated into one
+  Boogie program.
+
+  /lib:<name>    : Include definitions in library <name>. The file <name>.bpl
+                   must be an included resource in Core.dll. Currently, the
+                   following libraries are supported---base, node.
+  /proc:<p>      : Only check procedures matched by pattern <p>. This option
+                   may be specified multiple times to match multiple patterns.
+                   The pattern <p> matches the whole procedure name and may
+                   contain * wildcards which match any character zero or more
+                   times.
+  /noProc:<p>    : Do not check procedures matched by pattern <p>. Exclusions
+                   with /noProc are applied after inclusions with /proc.
+  /noResolve     : parse only
+  /noTypecheck   : parse and resolve only
+
+  /print:<file>  : print Boogie program after parsing it
+                   (use - as <file> to print to console)
+  /pretty:<n>
+                0 - print each Boogie statement on one line (faster).
+                1 (default) - pretty-print with some line breaks.
+  /printWithUniqueIds : print augmented information that uniquely
+                   identifies variables
+  /printUnstructured : with /print option, desugars all structured statements
+  /printPassive :  with /print option, prints passive version of program
+  /printDesugared : with /print option, desugars calls
+  /printLambdaLifting : with /print option, desugars lambda lifting
+
+  /freeVarLambdaLifting : Boogie's lambda lifting transforms the bodies of lambda
+                         expressions into templates with holes. By default, holes
+                         are maximally large subexpressions that do not contain
+                         bound variables. This option performs a form of lambda
+                         lifting in which holes are the lambda's free variables.
+
+  /overlookTypeErrors : skip any implementation with resolution or type
+                        checking errors
+
+  /loopUnroll:<n>
+                unroll loops, following up to n back edges (and then some)
+                default is -1, which means loops are not unrolled
+  /extractLoops
+                extract reducible loops into recursive procedures and
+                inline irreducible loops using the bound supplied by /loopUnroll:<n>
+  /soundLoopUnrolling
+                sound loop unrolling
+  /doModSetAnalysis
+                automatically infer modifies clauses
+  /printModel:<n>
+                0 (default) - do not print Z3's error model
+                1 - print Z3's error model
+  /printModelToFile:<file>
+                print model to <file> instead of console
+  /mv:<file>    Specify file to save the model with captured states
+                (see documentation for :captureState attribute)
+  /enhancedErrorMessages:<n>
+                0 (default) - no enhanced error messages
+                1 - Z3 error model enhanced error messages
+
+  /printCFG:<prefix> : print control flow graph of each implementation in
+                       Graphviz format to files named:
+                         <prefix>.<procedure name>.dot
+
+  /useBaseNameForFileName : When parsing use basename of file for tokens instead
+                            of the path supplied on the command line
+
+  /emitDebugInformation:<n>
+                0 - do not emit debug information
+                1 (default) - emit the debug information :qid, :skolemid and set-info :boogie-vc-id
+
+  /normalizeNames:<n>
+                0 (default) - Keep Boogie program names when generating SMT commands
+                1 - Normalize Boogie program names when generating SMT commands. 
+                  This keeps SMT solver input, and thus output, 
+                  constant when renaming declarations in the input program.
+
+  /normalizeDeclarationOrder:<n>
+                0 - Keep order of top-level declarations when generating SMT commands.
+                1 (default) - Normalize order of top-level declarations when generating SMT commands.
+                  This keeps SMT solver input, and thus output, 
+                  constant when reordering declarations in the input program.
+
+  ---- Inference options -----------------------------------------------------
+
+  /infer:<flags>
+                use abstract interpretation to infer invariants
+                <flags> must specify exactly one of the following domains:
+                   t = trivial bottom/top lattice
+                   j = stronger intervals
+                together with any of the following options:
+                   s = debug statistics
+                0..9 = number of iterations before applying a widen (default=0)
+  /checkInfer   instrument inferred invariants as asserts to be checked by
+                theorem prover
+  /contractInfer
+                perform procedure contract inference
+  /instrumentInfer
+                h - instrument inferred invariants only at beginning of
+                    loop headers (default)
+                e - instrument inferred invariants at beginning and end
+                    of every block (this mode is intended for use in
+                    debugging of abstract domains)
+  /printInstrumented
+                print Boogie program after it has been instrumented with
+                invariants
+
+  ---- Debugging and general tracing options ---------------------------------
+
+  /silent       print nothing at all
+  /quiet        print nothing but warnings and errors
+  /trace        blurt out various debug trace information
+  /traceTimes   output timing information at certain points in the pipeline
+  /tracePOs     output information about the number of proof obligations
+                (also included in the /trace output)
+  /break        launch and break into debugger
+
+  ---- Civl options ----------------------------------------------------------
+
+  /trustMoverTypes
+                do not verify mover type annotations on atomic action declarations
+  /trustNoninterference
+                do not perform noninterference checks
+  /trustRefinement
+                do not perform refinement checks
+  /trustLayersUpto:<n>
+                do not verify layers <n> and below
+  /trustLayersDownto:<n>
+                do not verify layers <n> and above
+  /trustSequentialization
+                do not perform sequentialization checks
+  /civlDesugaredFile:<file>
+                print plain Boogie program to <file>
+
+  ---- Verification-condition generation options -----------------------------
+
+  /liveVariableAnalysis:<c>
+                0 = do not perform live variable analysis
+                1 = perform live variable analysis (default)
+                2 = perform interprocedural live variable analysis
+  /noVerify     skip VC generation and invocation of the theorem prover
+  /verifySnapshots:<n>
+                verify several program snapshots (named <filename>.v0.bpl
+                to <filename>.vN.bpl) using verification result caching:
+                0 - do not use any verification result caching (default)
+                1 - use the basic verification result caching
+                2 - use the more advanced verification result caching
+                3 - use the more advanced caching and report errors according
+                    to the new source locations for errors and their
+                    related locations (but not /errorTrace and CaptureState
+                    locations)
+  /traceCaching:<n>
+                0 (default) - none
+                1 - for testing
+                2 - for benchmarking
+                3 - for testing, benchmarking, and debugging
+  /verifySeparately
+                verify each input program separately
+  /removeEmptyBlocks:<c>
+                0 - do not remove empty blocks during VC generation
+                1 - remove empty blocks (default)
+  /coalesceBlocks:<c>
+                0 = do not coalesce blocks
+                1 = coalesce blocks (default)
+  /traceverify  print debug output during verification condition generation
+  /subsumption:<c>
+                apply subsumption to asserted conditions:
+                0 - never, 1 - not for quantifiers, 2 (default) - always
+  /alwaysAssumeFreeLoopInvariants
+                usually, a free loop invariant (or assume
+                statement in that position) is ignored in checking contexts
+                (like other free things); this option includes these free
+                loop invariants as assumes in both contexts
+  /inline:<i>   use inlining strategy <i> for procedures with the :inline
+                attribute, see /attrHelp for details:
+                  none
+                  assume (default)
+                  assert
+                  spec
+  /printInlined
+                print the implementation after inlining calls to
+                procedures with the :inline attribute (works with /inline)
+  /recursionBound:<n>
+                Set the recursion bound for stratified inlining to
+                be n (default 500)
+  /smoke        Soundness Smoke Test: try to stick assert false; in some
+                places in the BPL and see if we can still prove it
+  /smokeTimeout:<n>
+                Timeout, in seconds, for a single theorem prover
+                invocation during smoke test, defaults to 10.
+  /typeEncoding:<t>
+                Encoding of types when generating VC of a polymorphic program:
+                   m = monomorphic (default)
+                   p = predicates
+                   a = arguments
+                Boogie automatically detects monomorphic programs and enables
+                monomorphic VC generation, thereby overriding the above option.
+                If the latter two options are used, then arrays are handled via axioms.
+  /useArrayAxioms
+                If monomorphic type encoding is used, arrays are handled by default with
+                the SMT theory of arrays. This option allows the use of axioms instead.
+  /reflectAdd   In the VC, generate an auxiliary symbol, elsewhere defined
+                to be +, instead of +.
+  /prune:<n>
+                0 - Turn off pruning.
+                1 - Turn on pruning (default). Pruning will remove any top-level
+                Boogie declarations that are not accessible by the implementation
+                that is about to be verified. Without pruning, due to the unstable
+                nature of SMT solvers, a change to any part of a Boogie program
+                has the potential to affect the verification of any other part of
+                the program.
+
+                Only use this if your program contains uses clauses
+                where required, otherwise pruning will break your program.
+                More information can be found here: https://github.com/boogie-org/boogie/blob/afe8eb0ffbb48d593de1ae3bf89712246444daa8/Source/ExecutionEngine/CommandLineOptions.cs#L160
+  /printPruned:<file>
+                After pruning, print the Boogie program to the specified file.
+  /relaxFocus   Process foci in a bottom-up fashion. This way only generates
+                a linear number of splits. The default way (top-down) is more
+                aggressive and it may create an exponential number of splits.
+  /randomSeed:<s>
+                Supply the random seed for /randomizeVcIterations option.
+  /randomizeVcIterations:<n>
+                Turn on randomization of the input that Boogie passes to the
+                SMT solver and turn on randomization in the SMT solver itself.
+                Attempt to randomize and prove each VC n times using the random
+                seed s provided by the option /randomSeed:<s>. If /randomSeed option
+                is not provided, s is chosen to be zero.
+
+                Certain Boogie inputs are unstable in the sense that changes to 
+                the input that preserve its meaning may cause the output to change.
+                This option simulates meaning-preserving changes to the input
+                without requiring the user to actually make those changes.
+                This option is implemented by renaming variables and reordering
+                declarations in the input, and by setting solver options that have
+                similar effects.
+  /trackVerificationCoverage
+                Track and report which program elements labeled with an
+                `{:id ...}` attribute were necessary to complete verification.
+                Assumptions, assertions, requires clauses, ensures clauses,
+                assignments, and calls can be labeled for inclusion in this
+                report. This generalizes and replaces the previous
+                (undocumented) `/printNecessaryAssertions` option.
+
+  /keepQuantifier
+                If pool-based quantifier instantiation creates instances of a quantifier
+                then keep the quantifier along with the instances. By default, the quantifier
+                is dropped if any instances are created.
+
+  ---- Verification-condition splitting --------------------------------------
+
+  /vcsMaxCost:<f>
+                VC will not be split unless the cost of a VC exceeds this
+                number, defaults to 2000.0. This does NOT apply in the
+                keep-going mode after first round of splitting.
+  /vcsMaxSplits:<n>
+                Maximal number of VC generated per method. In keep
+                going mode only applies to the first round.
+                Defaults to 1.
+  /vcsMaxKeepGoingSplits:<n>
+                If set to more than 1, activates the keep
+                going mode, where after the first round of splitting,
+                VCs that timed out are split into <n> pieces and retried
+                until we succeed proving them, or there is only one
+                assertion on a single path and it timeouts (in which
+                case error is reported for that assertion).
+                Defaults to 1.
+  /vcsKeepGoingTimeout:<n>
+                Timeout in seconds for a single theorem prover
+                invocation in keep going mode, except for the final
+                single-assertion case. Defaults to 1s.
+  /vcsFinalAssertTimeout:<n>
+                Timeout in seconds for the single last
+                assertion in the keep going mode. Defaults to 30s.
+  /vcsPathJoinMult:<f>
+                If more than one path join at a block, by how much
+                multiply the number of paths in that block, to accomodate
+                for the fact that the prover will learn something on one
+                paths, before proceeding to another. Defaults to 0.8.
+  /vcsPathCostMult:<f1>
+  /vcsAssumeMult:<f2>
+                The cost of a block is
+                    (<assert-cost> + <f2>*<assume-cost>) *
+                    (1.0 + <f1>*<entering-paths>)
+                <f1> defaults to 1.0, <f2> defaults to 0.01.
+                The cost of a single assertion or assumption is
+                currently always 1.0.
+  /vcsPathSplitMult:<f>
+                If the best path split of a VC of cost A is into
+                VCs of cost B and C, then the split is applied if
+                A >= <f>*(B+C), otherwise assertion splitting will be
+                applied. Defaults to 0.5 (always do path splitting if
+                possible), set to more to do less path splitting
+                and more assertion splitting.
+  /vcsSplitOnEveryAssert
+                Splits every VC so that each assertion is isolated
+                into its own VC. May result in VCs without any assertions.
+  /vcsDumpSplits
+                For split #n dump split.n.dot and split.n.bpl.
+                Warning: Affects error reporting.
+  /vcsCores:<n>
+                Try to verify <n> VCs at once. Defaults to 1.
+  /vcsLoad:<f>  Sets vcsCores to the machine's ProcessorCount * f,
+                rounded to the nearest integer (where 0.0 <= f <= 3.0),
+                but never to less than 1.
+
+  ---- Prover options --------------------------------------------------------
+
+  /errorLimit:<num>
+                Limit the number of errors produced for each procedure
+                (default is 5, some provers may support only 1).
+                Set num to 0 to find as many assertion failures as possible.
+  /timeLimit:<num>
+                Limit the number of seconds spent trying to verify
+                each procedure
+  /rlimit:<num>
+                Limit the Z3 resource spent trying to verify each procedure.
+  /errorTrace:<n>
+                0 - no Trace labels in the error output,
+                1 (default) - include useful Trace labels in error output,
+                2 - include all Trace labels in the error output
+  /vcBrackets:<b>
+                bracket odd-charactered identifier names with |'s.  <b> is:
+                   0 - no (default),
+                   1 - yes
+  /proverDll:<tp>
+                use theorem prover <tp>, where <tp> is either the name of
+                a DLL containing the prover interface located in the
+                Boogie directory, or a full path to a DLL containing such
+                an interface. The default interface shipped is:
+                    SMTLib (uses the SMTLib2 format and calls an SMT solver)
+  /proverOpt:KEY[=VALUE]
+                Provide a prover-specific option (short form /p).
+  /proverHelp   Print prover-specific options supported by /proverOpt.
+  /proverLog:<file>
+                Log input for the theorem prover.  Like filenames
+                supplied as arguments to other options, <file> can use the
+                following macros:
+                    @TIME@    expands to the current time
+                    @PREFIX@  expands to the concatenation of strings given
+                              by /logPrefix options
+                    @FILE@    expands to the last filename specified on the
+                              command line
+                In addition, /proverLog can also use the macro '@PROC@',
+                which causes there to be one prover log file per
+                verification condition, and the macro then expands to the
+                name of the procedure that the verification condition is for.
+  /logPrefix:<str>
+                Defines the expansion of the macro '@PREFIX@', which can
+                be used in various filenames specified by other options.
+  /proverLogAppend
+                Append (not overwrite) the specified prover log file
+  /proverWarnings
+                0 (default) - don't print, 1 - print to stdout,
+                2 - print to stderr
+  /restartProver
+                Restart the prover after each query
+```
diff --git a/v4.10.0/DafnyRef/Plugins.md b/v4.10.0/DafnyRef/Plugins.md
new file mode 100644
index 0000000..c044914
--- /dev/null
+++ b/v4.10.0/DafnyRef/Plugins.md
@@ -0,0 +1,235 @@
+# 15. Plugins to Dafny {#sec-plugins}
+
+Dafny has a plugin architecture that permits users to build tools for the Dafny language without having to replicate 
+parsing and name/type resolution of Dafny programs. Such a tool might just do some analysis on the Dafny program,
+without concern for verifying or compiling the program. Or it might modify the program (actually, modify the program's AST) 
+and then continue on with verification and compilation with the core Dafny tool. A user plugin might also be used
+in the Language Server and thereby be available in the VSCode (or other) IDE.
+
+_**This is an experimental aspect of Dafny.**
+The plugin API directly exposes the Dafny AST, which is constantly evolving.
+Hence, always recompile your plugin against the binary of Dafny that will be importing your plugin._
+
+Plugins are libraries linked to a `Dafny.dll` of the same version as the Language Server.
+A plugin typically defines:
+
+* Zero or one class extending `Microsoft.Dafny.Plugins.PluginConfiguration`, which receives plugins arguments in its method `ParseArguments`, and
+  1. Can return a list of `Microsoft.Dafny.Plugins.Rewriter`s when its method `GetRewriters()` is called by Dafny,
+  2. Can return a list of `Microsoft.Dafny.Plugins.Compiler`s when its method `GetCompilers()` is called by Dafny,
+  3. If the configuration extends the subclass `Microsoft.Dafny.LanguageServer.Plugins.PluginConfiguration`:
+      1. Can return a list of `Microsoft.Dafny.LanguageServer.Plugins.DafnyCodeActionProvider`s when its method `GetDafnyCodeActionProviders()` is called by the Dafny Language Server.
+      2. Can return a modified version of `OmniSharp.Extensions.LanguageServer.Server.LanguageServerOptions` when its method `WithPluginHandlers()` is called by the Dafny Language Server.
+
+* Zero or more classes extending `Microsoft.Dafny.Plugins.Rewriter`.
+  If a configuration class is provided, it is responsible for instantiating them and returning them in `GetRewriters()`.
+  If no configuration class is provided, an automatic configuration will load every defined `Rewriter` automatically.
+* Zero or more classes extending `Microsoft.Dafny.Plugins.Compiler`.
+  If a configuration class is provided, it is responsible for instantiating them and returning them in `GetCompilers()`.
+  If no configuration class is provided, an automatic configuration will load every defined `Compiler` automatically.
+* Zero or more classes extending `Microsoft.Dafny.LanguageServer.Plugins.DafnyCodeActionProvider`.
+  Only a configuration class of type `Microsoft.Dafny.LanguageServer.Plugins.PluginConfiguration` can be responsible for instantiating them and returning them in `GetDafnyCodeActionProviders()`.
+
+The most important methods of the class `Rewriter` that plugins override are
+
+* (experimental) `PreResolve(ModuleDefinition)`: Here you can optionally modify the AST before it is resolved.
+* `PostResolve(ModuleDefinition)`: This method is repeatedly called with every resolved and type-checked module, before verification.
+  Plugins override this method typically to report additional diagnostics.
+* `PostResolve(Program)`: This method is called once after all `PostResolve(ModuleDefinition)` have been called.
+
+Plugins are typically used to report additional diagnostics such as unsupported constructs for specific compilers (through the methods `Èrror(...)` and `Warning(...)` of the field `Reporter` of the class `Rewriter`)
+
+Note that all plugin errors should use the original program's expressions' token and NOT `Token.NoToken`, else no error will be displayed in the IDE.
+
+## 15.1. Language Server plugin tutorial
+
+In this section, we will create a plugin that enhances the functionality of the Language Server.
+We will start by showing the steps needed to create a plugin, followed by an example implementation that demonstrates how to provide more code actions and add custom request handlers.
+
+### 15.1.1. Create plugin project
+
+Assuming the Dafny source code is installed in the folder `dafny/`
+start by creating an empty folder next to it, e.g. `PluginTutorial/`
+
+```bash
+mkdir PluginTutorial
+cd PluginTutorial
+```
+
+Then, create a dotnet class project
+
+```bash
+dotnet new classlib
+```
+
+It will create a file `Class1.cs` that you can rename
+
+```bash
+mv Class1.cs MyPlugin.cs
+```
+
+Open the newly created file `PluginTutorial.csproj`, and add the following after `</PropertyGroup>`:
+
+```xml
+  <ItemGroup>
+    <ProjectReference Include="../dafny/source/DafnyLanguageServer/DafnyLanguageServer.csproj" />
+  </ItemGroup>
+```
+### 15.1.2. Implement plugin
+
+#### 15.1.2.1. Code actions plugin
+
+This code action plugin will add a code action that allows you to place a dummy comment in front of the first method name, only if the selection is on the line of the method.
+
+Open the file `MyPlugin.cs`, remove everything, and write the imports and a namespace:
+
+```csharp
+using Microsoft.Dafny;
+using Microsoft.Dafny.LanguageServer.Plugins;
+using Microsoft.Boogie;
+using Microsoft.Dafny.LanguageServer.Language;
+using System.Linq;
+using Range = OmniSharp.Extensions.LanguageServer.Protocol.Models.Range;
+
+namespace MyPlugin;
+```
+
+After that, add a `PluginConfiguration` that will expose all the quickfixers of your plugin.
+This class will be discovered and instantiated automatically by Dafny.
+
+```csharp
+public class TestConfiguration : PluginConfiguration {
+  public override DafnyCodeActionProvider[] GetDafnyCodeActionProviders() {
+    return new DafnyCodeActionProvider[] { new AddCommentDafnyCodeActionProvider() };
+  }
+}
+```
+
+Note that you could also override the methods `GetRewriters()` and `GetCompilers()` for other purposes, but this is out of scope for this tutorial.
+
+Then, we need to create the quickFixer `AddCommentDafnyCodeActionProvider` itself:
+
+```csharp
+public class AddCommentDafnyCodeActionProvider : DafnyCodeActionProvider {
+  public override IEnumerable<DafnyCodeAction> GetDafnyCodeActions(IDafnyCodeActionInput input, Range selection) {
+    return new DafnyCodeAction[] { };
+  }
+}
+```
+
+For now, this quick fixer returns nothing. `input` is the program state, and `selection` is where the caret is.
+We replace the return statement with a conditional that tests whether the selection is on the first line:
+
+```csharp
+    var firstTokenRange = input.Program?.GetFirstTopLevelToken()?.GetLspRange();
+    if(firstTokenRange != null && firstTokenRange.Start.Line == selection.Start.Line) {
+      return new DafnyCodeAction[] {
+        // TODO
+      };
+    } else {
+      return new DafnyCodeAction[] { };
+    }
+```
+
+Every quick fix consists of a title (provided immediately), and zero or more `DafnyCodeActionEdit` (computed lazily).
+A `DafnyCodeActionEdit` has a `Range` to remove and some `string` to insert instead. All `DafnyCodeActionEdit`s
+of the same `DafnyCodeAction` are applied at the same time if selected.
+
+To create a `DafnyCodeAction`, we can either use the easy-to-use `InstantDafnyCodeAction`, which accepts a title and an array of edits:
+
+```csharp
+  return new DafnyCodeAction[] {
+    new InstantDafnyCodeAction("Insert comment", new DafnyCodeActionEdit[] {
+      new DafnyCodeActionEdit(firstTokenRange.GetStartRange(), "/*First comment*/")
+    })
+  };
+```
+
+or we can implement our custom inherited class of `DafnyCodeAction`:
+
+```csharp
+public class CustomDafnyCodeAction: DafnyCodeAction {
+  public Range whereToInsert;
+  
+  public CustomDafnyCodeAction(Range whereToInsert): base("Insert comment") {
+    this.whereToInsert = whereToInsert;
+  }
+  public override DafnyCodeActionEdit[] GetEdits() {
+    return new DafnyCodeActionEdit[] {
+      new DafnyCodeActionEdit(whereToInsert.GetStartRange(), "/*A comment*/")
+    };
+  }
+}
+```
+
+In that case, we could return:
+
+```csharp
+  return new DafnyCodeAction[] {
+    new CustomDafnyCodeAction(firstTokenRange)
+  };
+```
+
+#### 15.1.2.2. Request handler plugin
+
+This request handler plugin enhances the Language Server to support a request with a `TextDocumentIdentifier` as parameter, which will return a `bool` value denoting whether the provided `DocumentUri` has any `LoopStmt`'s in it.
+
+Open the file `MyPlugin.cs`, remove everything, and write the imports and a namespace:
+
+```csharp
+using OmniSharp.Extensions.JsonRpc;
+using OmniSharp.Extensions.LanguageServer.Server;
+using OmniSharp.Extensions.LanguageServer.Protocol.Models;
+using Microsoft.Dafny.LanguageServer.Plugins;
+using Microsoft.Dafny.LanguageServer.Workspace;
+using MediatR;
+using Microsoft.Dafny;
+
+namespace MyPlugin;
+```
+
+After that, add a `PluginConfiguration` that will add all the request handlers of your plugin.
+This class will be discovered and instantiated automatically by Dafny.
+
+```csharp
+public class TestConfiguration : PluginConfiguration {
+  public override LanguageServerOptions WithPluginHandlers(LanguageServerOptions options) {
+    return options.WithHandler<DummyHandler>();
+  }
+}
+```
+
+Then, we need to create the request handler `DummyHandler` itself:
+
+```csharp
+[Parallel]
+[Method("dafny/request/dummy", Direction.ClientToServer)]
+public record DummyParams : TextDocumentIdentifier, IRequest<bool>;
+
+public class DummyHandler : IJsonRpcRequestHandler<DummyParams, bool> {
+  private readonly IProjectDatabase projects;
+  public DummyHandler(IProjectDatabase projects) {
+    this.projects = projects;
+  }
+  public async Task<bool> Handle(DummyParams request, CancellationToken cancellationToken) {
+    var state = await projects.GetParsedDocumentNormalizeUri(request);
+    if (state == null) {
+      return false;
+    }
+    return state.Program.Descendants().OfType<LoopStmt>().Any();
+  }
+}
+```
+
+For more advanced example implementations of request handlers, look at `dafny/Source/DafnyLanguageServer/Handlers/*`.
+
+### 15.1.3. Building plugin
+
+That's it! Now, build your library while inside your folder:
+
+```bash
+> dotnet build
+```
+
+This will create the file `PluginTutorial/bin/Debug/net8.0/PluginTutorial.dll`.
+Now, open VSCode, open Dafny settings, and enter the absolute path to this DLL in the plugins section.
+Restart VSCode, and it should work!
diff --git a/v4.10.0/DafnyRef/Programs.md b/v4.10.0/DafnyRef/Programs.md
new file mode 100644
index 0000000..c579160
--- /dev/null
+++ b/v4.10.0/DafnyRef/Programs.md
@@ -0,0 +1,207 @@
+# 3. Programs ([grammar](#g-program)) {#sec-program}
+
+At the top level, a Dafny program (stored as files with extension `.dfy`)
+is a set of declarations. The declarations introduce (module-level)
+constants, methods, functions, lemmas, types (classes, traits, inductive and
+coinductive datatypes, newtypes, type synonyms, abstract types, and
+iterators) and modules, where the order of introduction is irrelevant. 
+Some types, notably classes, also may contain a set of declarations, introducing fields, methods,
+and functions.
+
+When asked to compile a program, Dafny looks for the existence of a
+`Main()` method. If a legal `Main()` method is found, the compiler will emit
+an executable appropriate to the target language; otherwise it will emit
+a library or individual files.
+The conditions for a legal `Main()` method are described in the User Guide
+([Section 3.4](#sec-user-guide-main)).
+If there is more than one `Main()`, Dafny will emit an error message.
+
+An invocation of Dafny may specify a number of source files.
+Each Dafny file follows the grammar of the ``Dafny`` non-terminal.
+
+A file consists of 
+- a sequence of optional _include_ directives, followed by 
+- top level declarations, followed by 
+- the end of the file.
+
+## 3.1. Include Directives ([grammar](#g-include-directive)) {#sec-include-directive}
+
+Examples:
+<!-- %no-check -->
+```dafny
+include "MyProgram.dfy"
+include @"/home/me/MyFile.dfy"
+```
+
+Include directives have the form ``"include" stringToken`` where
+the string token is either a normal string token or a
+verbatim string token. The ``stringToken`` is interpreted as the name of
+a file that will be included in the Dafny source. These included
+files also obey the ``Dafny`` grammar. Dafny parses and processes the
+transitive closure of the original source files and all the included files,
+but will not invoke the verifier on the included files unless they have been listed
+explicitly on the command line or the `--verify-included-files` option is
+specified.
+
+The file name may be a path using the customary `/`, `.`, and `..` punctuation.
+The interpretation of the name (e.g., case-sensitivity) will depend on the
+underlying operating system. A path not beginning with `/` is looked up in
+the underlying file system relative to the 
+_location of the file in which the include directive is stated_. 
+Paths beginning with a device
+designator (e.g., `C:`) are only permitted on Windows systems.
+Better style advocates using relative paths in include directives so that
+groups of files may be moved as a whole to a new location.
+
+Paths of files on the command-line or named in `--library` options are 
+relative the the current working directory.
+
+## 3.2. Top Level Declarations ([grammar](#g-top-level-declaration)) {#sec-top-level-declaration}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+abstract module M { }
+trait R { }
+class C { }
+datatype D = A | B
+newtype pos = i: int | i >= 0
+type T = i: int | 0 <= i < 100
+method m() {}
+function f(): int
+const c: bool
+```
+
+Top-level declarations may appear either at the top level of a Dafny file,
+or within a (sub)module declaration. A top-level declaration is one of
+various kinds of declarations described later. Top-level declarations are
+implicitly members of a default (unnamed) top-level module.
+
+Declarations within a module or at the top-level all begin with reserved keywords and do not end with semicolons.
+
+These declarations are one of these kinds:
+- methods and functions, encapsulating computations or actions
+- const declarations, which are names (of a given type) initialized to an unchanging value;
+  declarations of variables and mutable fields are not allowed at the module level
+- type declarations of various kinds ([Section 5](#sec-types) and the following sections)
+
+Methods, functions and const declarations are placed in an implicit class declaration
+that is in the top-level implicit module. These declarations are all implicitly
+`static` (and may not be declared explicitly static).
+
+## 3.3. Declaration Modifiers ([grammar](#g-declaration-modifier)) {#sec-declaration-modifier}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+abstract module M {
+  class C {
+    static method m() {}
+  }
+}
+ghost opaque const c : int
+```
+
+Top level declarations may be preceded by zero or more declaration
+modifiers. Not all of these are allowed in all contexts.
+
+The `abstract` modifier may only be used for module declarations.
+An abstract module can leave some entities underspecified.
+Abstract modules are not compiled.
+
+The `ghost` modifier is used to mark entities as being used for
+specification only, not for compilation to code.
+
+The `opaque` modifier may be used on const declarations and functions.
+
+The `static` modifier is used for class members that
+are associated with the class as a whole rather than with
+an instance of the class. This modifier may not be used with
+declarations that are implicitly static, as are members of the 
+top-level, unnamed implicit class.
+
+The following table shows modifiers that are available
+for each of the kinds of declaration. In the table
+we use already-ghost (already-non-ghost) to denote that the item is not
+allowed to have the ghost modifier because it is already
+implicitly ghost (non-ghost).
+
+
+ Declaration              | allowed modifiers
+--------------------------|---------------------------------------
+ module                   | abstract
+ class                    | -
+ trait                    | -
+ datatype or codatatype   | -
+ field (const)            | ghost opaque
+ newtype                  | -
+ synonym types            | -
+ iterators                | -
+ method                   | ghost static
+ lemma                    | already-ghost static
+ least lemma              | already-ghost static
+ greatest lemma           | already-ghost static
+ constructor              | ghost
+ function                 | ghost static opaque             (Dafny 4)
+ function method          | already-non-ghost static opaque (Dafny 3)
+ function (non-method)    | already-ghost static opaque     (Dafny 3)
+ predicate                | ghost static opaque             (Dafny 4)
+ predicate method         | already-non-ghost static opaque (Dafny 3)
+ predicate (non-method)   | already-ghost static opaque     (Dafny 3)
+ least predicate          | already-ghost static opaque
+ greatest predicate       | already-ghost static opaque
+
+
+## 3.4. Executable programs {#sec-user-guide-main}
+
+Dafny programs have an important emphasis on verification, but the programs 
+may also be executable.
+
+To be executable, the program must have exactly one `Main` method and that 
+method must be a legal main entry point.
+
+* The program is searched for a method with the attribute `{:main}`.
+If exactly one is found, that method is used as the entry point; if more
+than one method has the `{:main}` attribute, an error message is issued.
+* Otherwise, the program is searched for a method with the name `Main`.
+If more than one is found an error message is issued.
+
+Any abstract modules are not searched for candidate entry points,
+but otherwise the entry point may be in any module or type. In addition,
+an entry-point candidate must satisfy the following conditions:
+
+* The method has no type parameters and either has no parameters or one non-ghost parameter of type `seq<string>`.
+* The method has no non-ghost out-parameters.
+* The method is not a ghost method.
+* The method has no requires or modifies clauses, unless it is marked `{:main}`.
+* If the method is an instance (that is, non-static) method and the
+  enclosing type is a class,
+  then that class must not declare any constructor.
+  In this case, the runtime system will
+  allocate an object of the enclosing class and will invoke
+  the entry-point method on it.
+* If the method is an instance (that is, non-static) method and the
+  enclosing type is not a class,
+  then the enclosing type must, when instantiated with auto-initializing
+  type parameters, be an auto-initializing type.
+  In this case, the runtime system will
+  invoke the entry-point method on a value of the enclosing type.
+
+Note, however, that the following are allowed:
+
+* The method is allowed to have `ensures` clauses
+* The method is allowed to have `decreases` clauses, including a
+  `decreases *`. (If `Main()` has a `decreases *`, then its execution may
+  go on forever, but in the absence of a `decreases *` on `Main()`, `dafny`
+  will have verified that the entire execution will eventually
+  terminate.)
+
+If no legal candidate entry point is identified, `dafny` will still produce executable output files, but
+they will need to be linked with some other code in the target language that
+provides a `main` entry point.
+
+If the `Main` method takes an argument (of type `seq<string>`), the value of that input argument is the sequence
+of command-line arguments, with the first entry of the sequence (at index 0) being a system-determined name for the 
+executable being run.
+
+The exit code of the program, when executed, is not yet specified.
diff --git a/v4.10.0/DafnyRef/README.md b/v4.10.0/DafnyRef/README.md
new file mode 100644
index 0000000..2025fc7
--- /dev/null
+++ b/v4.10.0/DafnyRef/README.md
@@ -0,0 +1,115 @@
+
+This document describes information needed to maintain the Dafny Reference
+Manual, including information about syntax coloring.
+
+Note that the reference manual is written in github markdown,
+which is rendered by github servers for web browsing
+and by pandoc to create a Latex-style pdf.
+
+# The Dafny Reference Manual sources
+
+This folder holds the source for the Dafny Reference Manual. This is the second iteration of the DRM -- the first was based on madoko.
+Instead this source is GitHub markdown augmented by MathJax LaTeX math notation.The markdown source is rendered by github pages and can be transformed by
+pandoc into pdf, via LaTeX (see the Makefile in this folder).
+
+Some care must be taken to enable both modes of rendering.
+* Inline math is bracketed by $...$.
+* Displayed (centered) math is enclosed in <p style="text-align: center;">$$...$$</p> and similarly for centered non-math text.
+* The abstract is duplicated, to permit it to be part of the pdf title page.
+* The title page itself is written in header.tex, in LaTeX.
+
+In addition, some textual search and replace operations are implemented
+(see the Makefile) to perform section numbering uniformly and to adjust a few
+other aspects that are dissimilar between the pdf and online versions.
+
+GitHub pages are rendered (converted from markdown to html) using Jekyll.
+The result is a single, long html page.
+There are a number of configuration files for Jekyll in the `docs` folder and
+subfolders. In order to render files locally you must
+* have `ruby`, `bundler` and `jekyll` installed on your machine
+* set the working directly (`cd`) to the `docs` folder (Windows or Ruby 3.0 users, see below for some tweaks)
+* run the jekyll server: `bundle exec jekyll server`
+* open a browser on the page http://localhost:4000 or directly to http://localhost:4000/DafnyRef/DafnyRef
+* the server rerenders when files are changed -- but not always quite completely. Sometimes one must kill the server process, delete all the files in the _site folder, and restart the server.
+
+In order to convert markdown to pdf, you must be able to execute the Makefile, which requires installing pandoc and LaTeX, and being on a Linux-like platform.
+
+The Makefile does some preprocessing of the markdown files: it removes some
+markdown lines that are not interpreted by pandoc and adds some additional
+directives, such as page breaks.
+
+To re-generate `Options.txt`, run `make options` in the `DafnyRef` folder.
+
+## Windows users or Ruby 3.0 users
+
+You might want to apply this diff to the file `../GemFile`
+```diff
+gem "kramdown", ">= 2.3.1"
++gem "webrick"
+```
+
+and then run `bundle install`
+
+# Syntax Coloring
+
+Tools providing syntax coloring for programming language source typically
+require a PL-specific regular-expression based definition of the language
+syntax. Unfortunately there are many such tools.
+
+In the RM markdown sources, text bracketed by ` ```dafny ` and ` ``` ` will have
+syntax coloring for dafny applied. Text bracketed by
+` ```grammar ` and ` ``` ` has syntax coloring applied per the grammar
+definition file.
+
+## On-line RM through github
+Github uses rouge, via Jekyll. The syntax definition is a ruby-based file
+maintained in the rouge github repo.
+To modify the definition, follow
+[these](https://rouge-ruby.github.io/docs/file.LexerDevelopment.html)
+directions after [setting
+up](https://rouge-ruby.github.io/docs/file.DevEnvironment.html) a
+development environment.
+The file itself, `dafny.rb` is in Ruby. Details of the Ruby Regular
+Expression language can be found many places online, such as
+[here](https://www.princeton.edu/~mlovett/reference/Regular-Expressions.pdf).
+
+Within the github repo for rouge, the syntax definition file is
+`rouge/lib/rouge/lexers/dafny.rb`. You also need to maintain a
+test file, in `rouge/lib/rouge/demos/dafny` and a demonstration and
+development file in `rouge/spec/visual/samples/dafny`.
+The development instructions tell how to view this latter file as you
+debug or extend the definition file.
+
+Once you create a PR that is merged, github automatically (after a bit of a
+time lag) uses the file to render code snippets.
+[The rouge maintenance team must accept the PR -- it seems they are not
+very active.]
+
+The mapping from tokens to actual colors is specified separately from the
+syntax definition. The on-line rendering uses the Github default
+(which, at last investigation, was not changeable).
+
+Although the RM sources also contain grammar blocks, there is at present no
+rouge definition for these blocks.
+
+## Latex pdf
+
+The pdf version of the RM is created by `pandoc`, which uses the
+[KDE tool](https://docs.kde.org). pandoc references (via the command-line
+in the Makefile) local definition files that are in the Dafny github
+repository, at `dafny/docs/KDESyntaxDefinition/`. Though these definition
+files could be submitted to the KDE repo for public use, at present they
+are only local.
+
+One can test the syntax definition file by running the Makefile to create the
+pdf. One of the last pages of the RM is a test page for syntax coloring.
+
+The coloring style (mapping of tokens to colors) is set in the `dafny.theme` file.
+Note that there is a definition and theme for the grammar blocks in the pdf
+file as well.
+
+
+## LSP
+
+Many IDEs interact with Language Servers (via LSP). Possibly an LSP protocol
+will be generated in the future.
diff --git a/v4.10.0/DafnyRef/Refinement.md b/v4.10.0/DafnyRef/Refinement.md
new file mode 100644
index 0000000..5e1433a
--- /dev/null
+++ b/v4.10.0/DafnyRef/Refinement.md
@@ -0,0 +1,384 @@
+# 10. Refinement {#sec-module-refinement}
+
+Refinement is the process of replacing something somewhat abstract with something somewhat more concrete.
+For example, in one module one might declare a type name, with no definition,
+such as `type T`, and then in a refining module, provide a definition.
+One could prove general properties about the contents of an (abstract) module,
+and use that abstract module, and then later provide a more concrete implementation without having to redo all of the proofs.
+
+Dafny supports _module refinement_, where one module is created from another,
+and in that process the new module may be made more concrete than the previous.
+More precisely, refinement takes the following form in Dafny. One module
+declares some program entities. A second module _refines_ the first by
+declaring how to augment or replace (some of) those program entities.
+The first module is called the _refinement parent_; the second is the
+_refining_ module; the result of combining the two (the original declarations
+and the augmentation directives) is the _assembled_ module or _refinement result_.
+
+Syntactically, the refinement parent is a normal module declaration.
+The refining module declares which module is its refinement parent with the
+`refines` clause:
+<!-- %check-resolve -->
+```dafny
+module P { // refinement parent
+}
+module M refines P { // refining module
+}
+```
+
+The refinement result is created as follows.
+
+0) The refinement result is a module within the same enclosing module as the
+refining module, has the same name, and in fact replaces the refining module in their shared scope.
+
+1) All the declarations (including import and export declarations) of the parent are copied into the refinement result.
+These declarations are _not_ re-resolved. That is, the assignment of
+declarations and types to syntactic names is not changed. The refinement
+result may exist in a different enclosing module and with a different set of
+imports than the refinement parent, so that if names were reresolved, the
+result might be different (and possibly not semantically valid).
+This is why Dafny does not re-resolve the names in their new context.
+
+2) All the declarations of the refining module that have different names
+than the declarations in the refinement parent are also copied into the
+refinement result.
+However, because the refining module is just a set of augmentation
+directives and may refer to names copied from the refinement parent,
+resolution of names and types of the declarations copied in this step is
+performed in the context of the full refinement result.
+
+3) Where declarations in the parent and refinement module have the same name,
+the second refines the first and the combination, a refined declaration, is
+the result placed in the refinement result module, to the exclusion of the
+declarations with the same name from the parent and refinement modules.
+
+The way the refinement result declarations are assembled depends on the kind of declaration;
+the rules are described in subsections below.
+
+So that it is clear that refinement is taking place, refining declarations
+have some syntactic indicator that they are refining some parent declaration.
+Typically this is the presence of a `...` token.
+
+## 10.1. Export set declarations
+
+A refining export set declaration begins with [the syntax](#g-module-export)
+````grammar
+"export" Ident ellipsis
+````
+but otherwise contains the same `provides`, `reveals` and `extends` sections,
+with the ellipsis indicating that it is a refining declaration.
+
+The result declaration has the same name as the two input declarations and the unions of names from each of the `provides`, `reveals`, and `extends`
+sections, respectively.
+
+An unnamed export set declaration from the parent is copied into the result
+module with the name of the parent module. The result module has a default
+export set according to the general rules for export sets, after all of
+the result module's export set declarations have been assembled.
+
+## 10.2. Import declarations
+
+Aliasing import declarations are not refined. The result module contains the union
+of the import declarations from the two input modules.
+There must be no names in common among them.
+
+Abstract import declarations (declared with `:` instead of `=`, [Section 4.6](#sec-module-abstraction)) are refined. The refinement parent contains the
+abstract import and the refining module contains a regular aliasing
+import for the same name. Dafny checks that the refining import _adheres_ to
+the abstract import.
+
+## 10.3. Sub-module declarations
+
+With respect to refinement, a nested module behaves just like a top-level module. It may be declared abstract and it may be declared to `refine` some refinement parent. If the nested module is not refining anything and not being refined, then it is copied into the refinement result like any other declaration.
+
+Here is some example code:
+<!-- %check-verify -->
+```dafny
+abstract module P {
+  module A { const i := 5 }
+  abstract module B { type T }
+}
+
+module X refines P {
+  module B' refines P.B { type T = int }
+  module C { const k := 6}
+}
+
+module M {
+  import X
+  method m() {
+    var z: X.B'.T := X.A.i + X.C.k;
+  }
+}
+```
+The refinement result of `P` and `X` contains nested modules `A`, `B'`, and `C`. It is this refinement result that is imported into `M`.
+Hence the names `X.B'.T`, `X.A.i` and `X.C.k` are all valid.
+
+## 10.4. Const declarations
+
+Const declarations can be refined as in the following example.
+
+<!-- %check-verify -->
+```dafny
+module A {
+  const ToDefine: int
+  const ToDefineWithoutType: int
+  const ToGhost: int := 1
+}
+
+module B refines A {
+  const ToDefine: int := 2
+  const ToDefineWithoutType ... := 3
+  ghost const ToGhost: int
+  const NewConst: int
+}
+```
+
+Formally, a child `const` declaration may refine a `const` declaration
+from a parent module if
+
+* the parent has no initialization,
+* the child has the same type as the parent, and
+* one or both of the following holds:
+   * the child has an initializing expression
+   * the child is declared `ghost` and the parent is not `ghost`.
+
+A refining module can also introduce new `const` declarations that do
+not exist in the refinement parent.
+
+## 10.5. Method declarations
+
+Method declarations can be refined as in the following example.
+
+<!-- %check-verify -->
+```dafny
+abstract module A {
+  method ToImplement(x: int) returns (r: int)
+    ensures r > x
+
+  method ToStrengthen(x: int) returns (r: int)
+
+  method ToDeterminize(x: int) returns (r: int)
+    ensures r >= x
+  {
+    var y :| y >= x;
+    return y;
+  }
+
+}
+
+module B refines A {
+  method ToImplement(x: int) returns (r: int)
+  {
+    return x + 2;
+  }
+
+  method ToStrengthen ...
+    ensures r == x*2
+  {
+    return x*2;
+  }
+
+  method ToDeterminize(x: int) returns (r: int)
+  {
+    return x;
+  }
+}
+```
+
+Formally, a child `method` definition may refine a parent `method`
+declaration or definition by performing one or more of the following
+operations:
+
+* provide a body missing in the parent (as in `ToImplement`),
+* strengthen the postcondition of the parent method by adding one or more
+  `ensures` clauses (as in `ToStrengthen`),
+* provide a more deterministic version of a non-deterministic parent
+  body (as in `ToDeterminize`), or
+
+The type signature of a child method must be the same as that of the
+parent method it refines. This can be ensured by providing an explicit
+type signature equivalent to that of the parent (with renaming of
+parameters allowed) or by using an ellipsis (`...`) to indicate copying
+of the parent type signature. The body of a child method must satisfy
+any ensures clauses from its parent in addition to any it adds.
+
+A refined method is allowed only if it does not invalidate any parent
+lemmas that mention it.
+
+A refining module can also introduce new `method` declarations or
+definitions that do not exist in the refinement parent.
+
+## 10.6. Lemma declarations
+
+As lemmas are (ghost) methods, the description of method refinement from
+the previous section also applies to lemma refinement.
+
+A valid refinement is one that does not invalidate any proofs. A lemma
+from a refinement parent must still be valid for the refinement result
+of any method or lemma it mentions.
+
+## 10.7. Function and predicate declarations
+
+Function (and equivalently predicate) declarations can be refined as in
+the following example.
+
+<!-- %check-verify -->
+```dafny
+abstract module A {
+  function F(x: int): (r: int)
+    ensures r > x
+
+  function G(x: int): (r: int)
+    ensures r > x
+  { x + 1 }
+}
+
+module B refines A {
+  function F ...
+  { x + 1 }
+
+  function G ...
+    ensures r == x + 1
+}
+```
+
+Formally, a child `function` (or `predicate`) definition can refine a
+parent `function` (or `predicate`) declaration or definition to
+
+* provide a body missing in the parent,
+* strengthen the postcondition of the parent function by adding one or more
+  `ensures` clauses.
+
+The relation between the type signature of the parent and child function
+is the same as for methods and lemmas, as described in the previous section.
+
+A refining module can also introduce new `function` declarations or
+definitions that do not exist in the refinement parent.
+
+
+## 10.8. Class, trait and iterator declarations
+
+Class, trait, and iterator declarations are refined as follows: 
+- If a class (or trait or iterator, respectively) `C` in a refining parent contains a
+member that is not matched by a same-named member in the class `C` in the refining module, or vice-versa, then that class is copied as is to the 
+refinement result.
+- When there are members with the same name in the class in the refinement parent and in the refining module, then the combination occurs 
+according to the rules for that category of member.
+
+Here is an example code snippet:
+<!-- %check-verify -->
+```dafny
+abstract module P {
+  class C {
+    function F(): int
+      ensures F() > 0
+  }
+}
+
+module X refines P {
+  class C ... {
+    function F...
+      ensures F() > 0
+    { 1 }
+  }
+}
+```
+
+## 10.9. Type declarations
+
+Types can be refined in two ways:
+
+- Turning an abstract type into a concrete type;
+- Adding members to a datatype or a newtype.
+
+For example, consider the following abstract module:
+
+<!-- %check-verify %save Parent.tmp -->
+```dafny
+abstract module Parent {
+  type T
+  type B = bool
+  type S = s: string | |s| > 0 witness "!"
+  newtype Pos = n: nat | n > 0 witness 1
+  datatype Bool = True | False
+}
+```
+
+In this module, type `T` is opaque and hence can be refined with any type,
+including class types.  Types `B`, `S`, `Pos`, and `Bool` are concrete and
+cannot be refined further, except (for `Pos` and `Bool`) by giving them
+additional members or attributes (or refining their existing members, if any).
+Hence, the following are valid refinements:
+
+<!-- %check-verify %use Parent.tmp -->
+```dafny
+module ChildWithTrait refines Parent {
+  trait T {}
+}
+
+module ChildWithClass refines Parent {
+  class T {}
+}
+
+module ChildWithSynonymType refines Parent {
+  type T = bool
+}
+
+module ChildWithSubsetType refines Parent {
+  type T = s: seq<int> | s != [] witness [0]
+}
+
+module ChildWithDataType refines Parent {
+  datatype T = True | False
+}
+
+abstract module ChildWithExtraMembers refines Parent {
+  newtype Pos ... {
+    method Print() { print this; }
+  }
+
+  datatype Bool ... {
+    function AsDafnyBool() : bool { this.True? }
+  }
+}
+```
+
+(The last example is marked `abstract` because it leaves `T` opaque.)
+
+Note that datatype constructors, codatatype destructors, and newtype definitions
+cannot be refined: it is not possible to add or remove `datatype` constructors,
+nor to change destructors of a `codatatype`, nor to change the base
+type, constraint, or witness of a `newtype`.
+
+When a type takes arguments, its refinement must use the same type arguments
+with the same type constraints and the same variance.
+ 
+When a type has type constraints, these type constraints must be preserved by
+refinement.  This means that a type declaration `type T(!new)` cannot be refined
+by a `class T`, for example. Similarly, a `type T(00)` cannot be refined by a
+subset type with a `witness *` clause.
+
+The refinement of an abstract type with body-less members can include both a definition
+for the type along with a body for the member, as in this example:
+<!-- %check-verify -->
+```dafny
+abstract module P {
+  type T3 {
+    function ToString(): string
+  }
+}
+
+module X refines P {
+  newtype T3 = i | 0 <= i < 10 {
+    function ToString... { "" }
+  }
+}
+```
+
+Note that type refinements are not required to include the `...` indicator that they are refining a parent type.
+
+## 10.10. Statements
+
+The refinement syntax (`...`) in statements is deprecated.
+
diff --git a/v4.10.0/DafnyRef/Specifications.1.expect b/v4.10.0/DafnyRef/Specifications.1.expect
new file mode 100644
index 0000000..0d72c58
--- /dev/null
+++ b/v4.10.0/DafnyRef/Specifications.1.expect
@@ -0,0 +1,3 @@
+text.dfy(3,3): Error: cannot prove termination; try supplying a decreases clause
+
+Dafny program verifier finished with 1 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Specifications.2.expect b/v4.10.0/DafnyRef/Specifications.2.expect
new file mode 100644
index 0000000..6d4e1a7
--- /dev/null
+++ b/v4.10.0/DafnyRef/Specifications.2.expect
@@ -0,0 +1,3 @@
+text.dfy(4,2): Warning: this loop has no body (loop frame: i)
+
+Dafny program verifier did not attempt verification
diff --git a/v4.10.0/DafnyRef/Specifications.md b/v4.10.0/DafnyRef/Specifications.md
new file mode 100644
index 0000000..0c3159b
--- /dev/null
+++ b/v4.10.0/DafnyRef/Specifications.md
@@ -0,0 +1,955 @@
+# 7. Specifications {#sec-specifications}
+
+Specifications describe logical properties of Dafny methods, functions,
+lambdas, iterators and loops. They specify preconditions, postconditions,
+invariants, what memory locations may be read or modified, and
+termination information by means of _specification clauses_.
+For each kind of specification, zero or more specification
+clauses (of the type accepted for that type of specification)
+may be given, in any order.
+
+We document specifications at these levels:
+
+- At the lowest level are the various kinds of specification clauses,
+  e.g., a ``RequiresClause``.
+- Next are the specifications for entities that need them,
+  e.g., a ``MethodSpec``, which typically consist of a sequence of
+  specification clauses.
+- At the top level are the entity declarations that include
+  the specifications, e.g., ``MethodDecl``.
+
+This section documents the first two of these in a bottom-up manner.
+We first document the clauses and then the specifications
+that use them.
+
+Specification clauses typically appear in a sequence. They all begin with a 
+keyword and do not end with semicolons.
+
+## 7.1. Specification Clauses {#sec-specification-clauses}
+
+
+Within expressions in specification clauses, you can use
+[specification expressions](#sec-list-of-specification-expressions) along with any [other expressions](#sec-expressions) you need.
+
+### 7.1.1. Requires Clause ([grammar](#g-requires-clause)) {#sec-requires-clause}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+method m(i: int)
+  requires true
+  requires i > 0
+  requires L: 0 < i < 10
+```
+
+The `requires` clauses specify preconditions for methods,
+functions, lambda expressions and iterators. Dafny checks
+that the preconditions are met at all call sites. The
+callee may then assume the preconditions hold on entry.
+
+If no `requires` clause is specified, then a default implicit
+clause `requires true` is used.
+
+If more than one `requires` clause is given, then the
+precondition is the conjunction of all of the expressions
+from all of the `requires` clauses, with a collected list
+of all the given Attributes. The order of conjunctions
+(and hence the order of `requires` clauses with respect to each other)
+can be important: earlier conjuncts can set conditions that
+establish that later conjuncts are well-defined.
+
+The attributes recognized for requires clauses are discussed in [Section 11.4](#sec-verification-attributes-on-assertions).
+
+A requires clause can have [custom error and success messages](#sec-error-attribute).
+
+### 7.1.2. Ensures Clause ([grammar](#g-ensures-clause)) {#sec-ensures-clause}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+method {:axiom} m(i: int) returns (r: int)
+  ensures r > 0
+```
+
+An `ensures` clause specifies the post condition for a
+method, function or iterator.
+
+If no `ensures` clause is specified, then a default implicit
+clause `ensures true` is used.
+
+If more than one `ensures` clause is given, then the
+postcondition is the conjunction of all of the expressions
+from all of the `ensures` clauses, with a
+collected list of all the given Attributes.
+The order of conjunctions
+(and hence the order of `ensures` clauses with respect to each other)
+can be important: earlier conjuncts can set conditions that
+establish that later conjuncts are well-defined.
+
+The attributes recognized for ensures clauses are discussed in [Section 11.4](#sec-verification-attributes-on-assertions).
+
+An ensures clause can have [custom error and success messages](#sec-error-attribute).
+
+### 7.1.3. Decreases Clause ([grammar](#g-decreases-clause)) {#sec-decreases-clause}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+method m(i: int, j: int) returns (r: int)
+  decreases i, j
+method n(i: int) returns (r: int)
+  decreases *
+```
+Decreases clauses are used to prove termination in the
+presence of recursion. If more than one `decreases` clause is given
+it is as if a single `decreases` clause had been given with the
+collected list of arguments and a collected list of Attributes. That is,
+
+<!-- %no-check -->
+```dafny
+decreases A, B
+decreases C, D
+```
+
+is equivalent to
+
+<!-- %no-check -->
+```dafny
+decreases A, B, C, D
+```
+Note that changing the order of multiple `decreases` clauses will change
+the order of the expressions within the equivalent single `decreases`
+clause, and will therefore have different semantics.
+
+Loops and compiled methods (but not functions and not ghost methods,
+including lemmas) can be specified to be possibly non-terminating.
+This is done by declaring the method or loop with `decreases *`, which
+causes the proof of termination to be skipped. If a `*` is present
+in a `decreases` clause, no other expressions are allowed in the
+`decreases` clause. A method that contains a possibly non-terminating
+loop or a call to a possibly non-terminating method must itself be
+declared as possibly non-terminating.
+
+Termination metrics in Dafny, which are declared by `decreases` clauses,
+are lexicographic tuples of expressions. At each recursive (or mutually
+recursive) call to a function or method, Dafny checks that the effective
+`decreases` clause of the callee is strictly smaller than the effective
+`decreases` clause of the caller.
+
+ What does "strictly smaller" mean? Dafny provides a built-in
+ well-founded order for every type and, in some cases, between types. For
+ example, the Boolean `false` is strictly smaller than `true`, the
+ integer `78` is strictly smaller than `102`, the set `{2,5}` is strictly
+ smaller than (because it is a proper subset of) the set `{2,3,5}`, and for `s` of type `seq<Color>` where
+ `Color` is some inductive datatype, the color `s[0]` is strictly less than
+ `s` (provided `s` is nonempty).
+
+What does "effective decreases clause" mean? Dafny always appends a
+"top" element to the lexicographic tuple given by the user. This top
+element cannot be syntactically denoted in a Dafny program and it never
+occurs as a run-time value either. Rather, it is a fictitious value,
+which here we will denote $\top$, such that each value that can ever occur
+in a Dafny program is strictly less than $\top$. Dafny sometimes also
+prepends expressions to the lexicographic tuple given by the user. The
+effective decreases clause is any such prefix, followed by the
+user-provided decreases clause, followed by $\top$. We said "user-provided
+decreases clause", but if the user completely omits a `decreases` clause,
+then Dafny will usually make a guess at one, in which case the effective
+decreases clause is any prefix followed by the guess followed by $\top$.
+
+Here is a simple but interesting example: the Fibonacci function.
+
+<!-- %check-verify -->
+```dafny
+function Fib(n: nat) : nat
+{
+  if n < 2 then n else Fib(n-2) + Fib(n-1)
+}
+```
+
+In this example, Dafny supplies a `decreases n` clause.
+
+Let's take a look at the kind of example where a mysterious-looking
+decreases clause like "Rank, 0" is useful.
+
+Consider two mutually recursive methods, `A` and `B`:
+<!-- %check-verify Specifications.1.expect -->
+```dafny
+method A(x: nat)
+{
+  B(x);
+}
+
+method B(x: nat)
+{
+  if x != 0 { A(x-1); }
+}
+```
+
+To prove termination of `A` and `B`, Dafny needs to have effective
+decreases clauses for A and B such that:
+
+* the measure for the callee `B(x)` is strictly smaller than the measure
+  for the caller `A(x)`, and
+
+* the measure for the callee `A(x-1)` is strictly smaller than the measure
+  for the caller `B(x)`.
+
+Satisfying the second of these conditions is easy, but what about the
+first? Note, for example, that declaring both `A` and `B` with "decreases x"
+does not work, because that won't prove a strict decrease for the call
+from `A(x)` to `B(x)`.
+
+Here's one possibility:
+<!-- %check-verify -->
+```dafny
+method A(x: nat)
+  decreases x, 1
+{
+  B(x);
+}
+
+method B(x: nat)
+  decreases x, 0
+{
+  if x != 0 { A(x-1); }
+}
+```
+
+For the call from `A(x)` to `B(x)`, the lexicographic tuple `"x, 0"` is
+strictly smaller than `"x, 1"`, and for the call from `B(x)` to `A(x-1)`, the
+lexicographic tuple `"x-1, 1"` is strictly smaller than `"x, 0"`.
+
+ Two things to note: First, the choice of "0" and "1" as the second
+ components of these lexicographic tuples is rather arbitrary. It could
+ just as well have been "false" and "true", respectively, or the sets
+ `{2,5}` and `{2,3,5}`. Second, the keyword `decreases` often gives rise to
+ an intuitive English reading of the declaration. For example, you might
+ say that the recursive calls in the definition of the familiar Fibonacci
+ function `Fib(n)` "decreases n". But when the lexicographic tuple contains
+ constants, the English reading of the declaration becomes mysterious and
+ may give rise to questions like "how can you decrease the constant 0?".
+ The keyword is just that---a keyword. It says "here comes a list of
+ expressions that make up the lexicographic tuple we want to use for the
+ termination measure". What is important is that one effective decreases
+ clause is compared against another one, and it certainly makes sense to
+ compare something to a constant (and to compare one constant to
+ another).
+
+ We can simplify things a little bit by remembering that Dafny appends
+ $\top$ to the user-supplied decreases clause. For the A-and-B example,
+ this lets us drop the constant from the `decreases` clause of A:
+
+<!-- %check-verify -->
+```dafny
+method A(x: nat)
+   decreases x
+{
+  B(x);
+}
+
+method B(x: nat)
+  decreases x, 0
+{
+  if x != 0 { A(x-1); }
+}
+```
+
+The effective decreases clause of `A` is $(x, \top)$ and the effective
+decreases clause of `B` is $(x, 0, \top)$. These tuples still satisfy the two
+conditions $(x, 0, \top) < (x, \top)$ and $(x-1, \top) < (x, 0, \top)$. And
+as before, the constant "0" is arbitrary; anything less than $\top$ (which
+is any Dafny expression) would work.
+
+Let's take a look at one more example that better illustrates the utility
+of $\top$. Consider again two mutually recursive methods, call them `Outer`
+and `Inner`, representing the recursive counterparts of what iteratively
+might be two nested loops:
+<!-- %check-verify -->
+```dafny
+method Outer(x: nat)
+{
+  // set y to an arbitrary non-negative integer
+  var y :| 0 <= y;
+  Inner(x, y);
+}
+
+method Inner(x: nat, y: nat)
+{
+  if y != 0 {
+    Inner(x, y-1);
+  } else if x != 0 {
+    Outer(x-1);
+  }
+}
+```
+The body of `Outer` uses an assign-such-that statement to represent some
+computation that takes place before `Inner` is called. It sets "y" to some
+arbitrary non-negative value. In a more concrete example, `Inner` would do
+some work for each "y" and then continue as `Outer` on the next smaller
+"x".
+
+Using a `decreases` clause $(x, y)$ for `Inner` seems natural, but if
+we don't have any bound on the size of the $y$ computed by `Outer`,
+there is no expression we can write in the `decreases` clause of `Outer`
+that is sure to lead to a strictly smaller value for $y$ when `Inner`
+is called. $\top$ to the rescue. If we arrange for the effective
+decreases clause of `Outer` to be $(x, \top)$ and the effective decreases
+clause for `Inner` to be $(x, y, \top)$, then we can show the strict
+decreases as required. Since $\top$ is implicitly appended, the two
+decreases clauses declared in the program text can be:
+<!-- %check-verify -->
+```dafny
+method Outer(x: nat)
+  decreases x
+{
+  // set y to an arbitrary non-negative integer
+  var y :| 0 <= y;
+  Inner(x, y);
+}
+
+method Inner(x: nat, y: nat)
+  decreases x,y
+{
+  if y != 0 {
+    Inner(x, y-1);
+  } else if x != 0 {
+    Outer(x-1);
+  }
+}
+```
+Moreover, remember that if a function or method has no user-declared
+`decreases` clause, Dafny will make a guess. The guess is (usually)
+the list of arguments of the function/method, in the order given. This is
+exactly the decreases clauses needed here. Thus, Dafny successfully
+verifies the program without any explicit `decreases` clauses:
+<!-- %check-verify -->
+```dafny
+method Outer(x: nat)
+{
+  var y :| 0 <= y;
+  Inner(x, y);
+}
+
+method Inner(x: nat, y: nat)
+{
+  if y != 0 {
+    Inner(x, y-1);
+  } else if x != 0 {
+    Outer(x-1);
+  }
+}
+```
+The ingredients are simple, but the end result may seem like magic. 
+For many users, however, there may be no magic at all 
+-- the end result may be so natural that the user never even has to 
+be bothered to think about that there was a need to prove 
+termination in the first place.
+
+Dafny also prepends two expressions to the user-specified (or guessed) tuple of expressions
+in the decreases clause. The first expression is the ordering of
+the module containing the decreases clause in the dependence-ordering of 
+modules. That is, a module that neither imports or defines (as submodules) any other modules 
+has the lowest value in the order and every other module has a value that is higher than
+that of any module it defines or imports. As a module cannot call a method in a
+module that it does not depend on, this is an effective first component to the
+overall decreases tuple.
+
+The second prepended expression represents the position
+of the method in the call graph within a module. Dafny analyzes the call-graph of the 
+module, grouping all methods into mutually-recursive groups.
+Any method that calls nothing else is at the lowest level (say level 0).
+Absent recursion, every method has a level value strictly greater than any method it calls.
+Methods that are mutually recursive are at the same level and they are above
+the level of anything else they call. With this level value prepended to 
+the decreases clause, the decreases tuple automatically decreases on any
+calls in a non-recursive context.
+
+Though Dafny fixes a well-founded order that it uses when checking
+termination, Dafny does not normally surface this ordering directly in
+expressions. However, it is possible to write such ordering constraints
+using [`decreases to` expressions](#sec-termination-ordering-expressions).
+
+### 7.1.4. Framing ([grammar](#g-frame-expression)) {#sec-frame-expression}
+
+Examples:
+<!-- %no-check -->
+```dafny
+*
+o
+o`a
+`a
+{ o, p, q }
+{}
+```
+
+Frame expressions are used to denote the set of memory locations
+that a Dafny program element may read or write. 
+They are used in `reads` and `modifies` clauses.
+A frame expression is a set expression. The form `{}` is the empty set.
+The type of the frame expression is `set<object>`.
+
+Note that framing only applies to the heap, or memory accessed through
+references. Local variables are not stored on the heap, so they cannot be
+mentioned (well, they are not in scope in the declaration) in frame
+annotations. Note also that types like sets, sequences, and multisets are
+value types, and are treated like integers or local variables. Arrays and
+objects are reference types, and they are stored on the heap (though as
+always there is a subtle distinction between the reference itself and the
+value it points to.)
+
+
+The ``FrameField`` construct is used to specify a field of a
+class object. The identifier following the back-quote is the
+name of the field being referenced.
+If the `FrameField` is preceded by an expression the expression
+must be a reference to an object having that field.
+If the `FrameField` is not preceded by an expression then
+the frame expression is referring to that field of the current
+object (`this`). This form is only used within a method of a class or trait.
+
+A ``FrameField`` can be useful in the following case:
+When a method modifies only one field, rather than writing
+
+<!-- %check-verify -->
+```dafny
+class A {
+  var i: int
+  var x0: int
+  var x1: int
+  var x2: int
+  var x3: int
+  var x4: int
+  method M()
+    modifies this
+    ensures unchanged(`x0) && unchanged(`x1) && unchanged(`x2) && unchanged(`x3) && unchanged(`x4)
+  { i := i + 1; }
+}
+```
+
+one can write the more concise:
+
+<!-- %check-verify -->
+```dafny
+class A {
+  var i: int
+  var x0: int
+  var x1: int
+  var x2: int
+  var x3: int
+  var x4: int
+  method M()
+    modifies `i
+  { i := i + 1; }
+}
+```
+
+There's (unfortunately) no form of it for array
+elements -- but to account for unchanged elements, you can always write
+`forall i | 0 <= i < |a| :: unchanged(a[i])`.
+
+A ``FrameField`` is not taken into consideration for
+lambda expressions.
+
+### 7.1.5. Reads Clause ([grammar](#g-reads-clause)) {#sec-reads-clause}
+
+Examples:
+<!-- %no-check -->
+```dafny
+const o: object
+const o, oo: object
+function f()
+  reads *
+function g()
+  reads o, oo
+function h()
+  reads { o }
+method f()
+  reads *
+method g()
+  reads o, oo
+method h()
+  reads { o }
+```
+
+Functions are not allowed to have side effects; they may also be restricted in
+what they can read. The _reading frame_ of a function (or predicate) consists of all
+the heap memory locations that the function is allowed to read. The reason we
+might limit what a function can read is so that when we write to memory,
+we can be sure that functions that did not read that part of memory have
+the same value they did before. For example, we might have two arrays,
+one of which we know is sorted. If we did not put a reads annotation on
+the sorted predicate, then when we modify the unsorted array, we cannot
+determine whether the other array stopped being sorted. While we might be
+able to give invariants to preserve it in this case, it gets even more
+complex when manipulating data structures. In this case, framing is
+essential to making the verification process feasible.
+
+By default, methods are not required to list the memory location they read.
+However, there are use cases for restricting what methods can read as well.
+In particular, if you want to verify that imperative code is safe to execute concurrently when compiled,
+you can specify that a method does not read or write any shared state,
+and therefore cannot encounter race conditions or runtime crashes related to
+unsafe communication between concurrent executions.
+See [the `{:concurrent}` attribute](#sec-concurrent-attribute) for more details.
+
+It is not just the body of a function or method that is subject to `reads`
+checks, but also its precondition and the `reads` clause itself.
+
+A `reads` clause can list a wildcard `*`, which allows the enclosing
+function or method to read anything. 
+This is the implicit default for methods with no `reads` clauses,
+allowing methods to read whatever they like.
+The default for functions, however, is to not allow reading any memory.
+Allowing functions to read arbitrary memory is more problematic:
+in many cases, and in particular in all cases
+where the function is defined recursively, this makes it next to
+impossible to make any use of the function. Nevertheless, as an
+experimental feature, the language allows it (and it is sound).
+If a `reads` clause uses `*`, then the `reads` clause is not allowed to
+mention anything else (since anything else would be irrelevant, anyhow).
+
+A `reads` clause specifies the set of memory locations that a function,
+lambda, or method may read. The readable memory locations are all the fields
+of all of the references given in the set specified in the frame expression
+and the single fields given in [`FrameField`](#sec-frame-expression) elements of the frame expression.
+For example, in
+<!-- %check-verify -->
+```dafny
+class C {
+  var x: int
+  var y: int
+
+  predicate f(c: C) 
+    reads this, c`x
+  {
+    this.x == c.x
+  }
+}
+```
+the `reads` clause allows reading `this.x`, `this,y`, and `c.x` (which may be the same
+memory location as `this.x`).
+}
+
+If more than one `reads` clause is given
+in a specification the effective read set is the union of the sets
+specified. If there are no `reads` clauses the effective read set is
+empty. If `*` is given in a `reads` clause it means any memory may be
+read.
+
+If a `reads` clause refers to a sequence or multiset, that collection
+(call it `c`) is converted to a set by adding an implicit set
+comprehension of the form `set o: object | o in c` before computing the
+union of object sets from other `reads` clauses.
+
+An expression in a `reads` clause is also allowed to be a function call whose value is 
+a collection of references. Such an expression is converted to a set by taking the
+union of the function's image over all inputs. For example, if `F` is
+a function from `int` to `set<object>`, then `reads F` has the meaning
+
+<!-- %no-check -->
+```dafny
+set x: int, o: object | o in F(x) :: o
+```
+
+For each function value `f`, Dafny defines the function `f.reads`,
+which takes the same arguments as `f` and returns that set of objects
+that `f` reads (according to its reads clause) with those arguments.
+`f.reads` has type `T ~> set<object>`, where `T` is the input type(s) of `f`.
+
+This is particularly useful when wanting to specify the reads set of
+another function. For example, function `Sum` adds up the values of
+`f(i)` where `i` ranges from `lo` to `hi`:
+
+<!-- %check-verify -->
+```dafny
+function Sum(f: int ~> real, lo: int, hi: int): real
+  requires lo <= hi
+  requires forall i :: f.requires(i)
+  reads f.reads
+  decreases hi - lo
+{
+  if lo == hi then 0.0 else
+    f(lo) + Sum(f, lo + 1, hi)
+}
+```
+
+Its `reads` specification says that `Sum(f, lo, hi)` may read anything
+that `f` may read on any input.  (The specification
+`reads f.reads` gives an overapproximation of what `Sum` will actually
+read. More precise would be to specify that `Sum` reads only what `f`
+reads on the values from `lo` to `hi`, but the larger set denoted by
+`reads f.reads` is easier to write down and is often good enough.)
+
+Without such `reads` function, one could also write the more precise
+and more verbose:
+<!-- %check-verify -->
+```dafny
+function Sum(f: int ~> real, lo: int, hi: int): real
+  requires lo <= hi
+  requires forall i :: lo <= i < hi ==> f.requires(i)
+  reads set i, o | lo <= i < hi && o in f.reads(i) :: o
+  decreases hi - lo
+{
+  if lo == hi then 0.0 else
+    f(lo) + Sum(f, lo + 1, hi)
+}
+```
+
+Note, only `reads` clauses, not `modifies` clauses, are allowed to
+include functions as just described.
+
+Iterator specifications also allow `reads` clauses,
+with the same syntax and interpretation of arguments as above,
+but the meaning is quite different!
+See [Section 5.11](#sec-iterator-types) for more details.
+
+### 7.1.6. Modifies Clause ([grammar](#g-modifies-clause)) {#sec-modifies-clause}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+class A { var f: int }
+const o: object?
+const p: A?
+method M()
+  modifies { o, p }
+method N()
+  modifies { }
+method Q()
+  modifies o, p`f
+```
+
+By default, methods are allowed to read
+whatever memory they like, but they are required to list which parts of
+memory they modify, with a `modifies` annotation. These are almost identical
+to their `reads` cousins, except they say what can be changed, rather than
+what the definition depends on. In combination with reads,
+modification restrictions allow Dafny to prove properties of code that
+would otherwise be very difficult or impossible. Reads and modifies are
+one of the tools that allow Dafny to work on one method at a time,
+because they restrict what would otherwise be arbitrary modifications of
+memory to something that Dafny can reason about.
+
+Just as for a `reads` clause, the memory locations allowed to be modified
+in a method are all the fields of any object reference in the frame expression
+set and any specific field denoted by a [`FrameField`](#sec-frame-expression) in the `modifies` clause.
+For example, in
+<!-- %check-resolve -->
+```dafny
+class C {
+  var next: C?
+  var value: int
+
+  method M() 
+    modifies next
+  { 
+    ... 
+  }
+}
+```
+method `M` is permitted to modify `this.next.next` and `this.next.value`
+but not `this.next`. To be allowed to modify `this.next`, the modifies clause
+must include `this`, or some expression that evaluates to `this`, or ``this`next``.
+
+If an object is newly allocated within the body of a method
+or within the scope of a `modifies` statement or a loop's `modifies` clause,
+ then the fields of that object may always be modified.
+
+A `modifies` clause specifies the set of memory locations that a
+method, iterator or loop body may modify. If more than one `modifies`
+clause is given in a specification, the effective modifies set is the
+union of the sets specified. If no `modifies` clause is given the
+effective modifies set is empty. There is no wildcard (`*`) allowed in
+a modifies clause. A loop can also have a
+`modifies` clause. If none is given, the loop may modify anything
+the enclosing context is allowed to modify.
+
+Note that _modifies_ here is used in the sense of _writes_. That is, a field
+that may not be modified may not be written to, even with the same value it
+already has or even if the value is restored later. The terminology and
+semantics varies among specification languages. Some define frame conditions
+in this sense (a) of _writes_ and others in the sense (b) that allows writing
+a field with the same value or changing the value so long as the original
+value is restored by the end of the scope. For example, JML defines
+`assignable` and `modifies` as synonyms in the sense (a), though KeY
+interprets JML's `assigns/modifies` in sense (b).
+ACSL and ACSL++ use the `assigns` keyword, but with _modify_ (b) semantics.
+Ada/SPARK's dataflow contracts encode _write_ (a) semantics.
+
+### 7.1.7. Invariant Clause ([grammar](#g-invariant-clause)) {#sec-invariant-clause}
+
+Examples:
+<!-- %check-resolve-warn Specifications.2.expect -->
+```dafny
+method m()
+{
+  var i := 10;
+  while 0 < i
+    invariant 0 <= i < 10
+}
+```
+
+An `invariant` clause is used to specify an invariant
+for a loop. If more than one `invariant` clause is given for
+a loop, the effective invariant is the conjunction of
+the conditions specified, in the order given in the source text.
+
+The invariant must hold on entry to the loop. And assuming it
+is valid on entry to a particular iteration of the loop, 
+Dafny must be able to prove that it then
+holds at the end of that iteration of the loop.
+
+An invariant can have [custom error and success messages](#sec-error-attribute).
+
+## 7.2. Method Specification ([grammar](#g-method-specification)) {#sec-method-specification}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+class C {
+  var next: C?
+  var value: int
+
+  method M(i: int) returns (r: int)
+    requires i >= 0
+    modifies next
+    decreases i
+    ensures r >= 0
+  { 
+    ... 
+  }
+}
+```
+
+A method specification consists of zero or more `reads`, `modifies`, `requires`,
+`ensures` or `decreases` clauses, in any order.
+A method does not need `reads` clauses in most cases,
+because methods are allowed to read any memory by default,
+but `reads` clauses are supported for use cases such as verifying safe concurrent execution.
+See [the `{:concurrent}` attribute](#sec-concurrent-attribute) for more details.
+
+## 7.3. Function Specification ([grammar](#g-function-specification)) {#sec-function-specification}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+class C {
+  var next: C?
+  var value: int
+
+  function M(i: int): (r: int)
+    requires i >= 0
+    reads this
+    decreases i
+    ensures r >= 0
+  { 
+    0 
+  }
+}
+```
+
+A function specification is zero or more `reads`, `requires`,
+`ensures` or `decreases` clauses, in any order. A function
+specification does not have `modifies` clauses because functions are not
+allowed to modify any memory.
+
+## 7.4. Lambda Specification ([grammar](#g-lambda-specification)) {#sec-lambda-specification}
+
+A lambda specification provides a specification for a lambda function expression;
+it consists of zero or more `reads` or `requires` clauses.
+Any `requires` clauses may not have labels or attributes.
+Lambda specifications do not have `ensures` clauses because the body
+is never opaque.
+Lambda specifications do not have `decreases`
+clauses because lambda expressions do not have names and thus cannot be recursive. A
+lambda specification does not have `modifies` clauses because lambdas
+are not allowed to modify any memory.
+
+## 7.5. Iterator Specification ([grammar](#g-iterator-specification)) {#sec-iterator-specification}
+
+An iterator specification may contains `reads`, `modifies`, 
+`decreases`, `requires`, `yield requires, `ensures`
+and `yield ensures` clauses.
+
+An iterator specification applies both to the iterator's constructor
+method and to its `MoveNext` method.
+- The `reads` and `modifies`
+clauses apply to both of them (but `reads` clauses have a [different meaning on iterators](#sec-iterator-types) than on functions or methods).
+- The `requires` and `ensures` clauses apply to the constructor.
+- The `yield requires` and `yield ensures` clauses apply to the `MoveNext` method.
+
+Examples of iterators, including iterator specifications, are given in
+[Section 5.11](#sec-iterator-types). Briefly
+- a requires clause gives a precondition for creating an iterator
+- an ensures clause gives a postcondition when the iterator exits (after all iterations are complete)
+- a decreases clause is used to show that the iterator will eventually terminate
+- a yield requires clause is a precondition for calling `MoveNext`
+- a yield ensures clause is a postcondition for calling `MoveNext`
+- a reads clause gives a set of memory locations that will be unchanged after a `yield` statement
+- a modifies clause gives a set of memory locations the iterator may write to
+
+## 7.6. Loop Specification ([grammar](#g-loop-specification)) {#sec-loop-specification}
+
+A loop specification provides the information Dafny needs to
+prove properties of a loop. It contains `invariant`,
+`decreases`, and `modifies` clauses.
+
+The `invariant` clause
+is effectively a precondition and it along with the
+negation of the loop test condition provides the postcondition.
+The `decreases` clause is used to prove termination.
+
+## 7.7. Auto-generated boilerplate specifications
+
+AutoContracts is an experimental feature that inserts much of the dynamic-frames boilerplate
+into a class. The user simply
+- marks the class with `{:autocontracts}` and
+- declares a function (or predicate) called Valid().
+
+AutoContracts then
+
+- Declares, unless there already exist members with these names:
+<!-- %no-check -->
+```dafny
+  ghost var Repr: set(object)
+  predicate Valid()
+```
+
+- For function/predicate `Valid()`, inserts
+<!-- %no-check -->
+```dafny
+  reads this, Repr
+  ensures Valid() ==> this in Repr
+```
+- Into body of `Valid()`, inserts (at the beginning of the body)
+<!-- %no-check -->
+```dafny
+  this in Repr && null !in Repr
+```
+  and also inserts, for every array-valued field `A` declared in the class:
+<!-- %no-check -->
+```dafny
+  (A != null ==> A in Repr) &&
+```
+  and for every field `F` of a class type `T` where `T` has a field called `Repr`, also inserts
+<!-- %no-check -->
+```dafny
+  (F != null ==> F in Repr && F.Repr SUBSET Repr && this !in Repr && F.Valid())
+```
+  except, if `A` or `F` is declared with `{:autocontracts false}`, then the implication will not
+be added.
+- For every constructor, inserts
+<!-- %no-check -->
+```dafny
+  ensures Valid() && fresh(Repr)
+```
+- At the end of the body of the constructor, adds
+<!-- %no-check -->
+```dafny
+   Repr := {this};
+   if (A != null) { Repr := Repr + {A}; }
+   if (F != null) { Repr := Repr + {F} + F.Repr; }
+```
+
+In all the following cases, no `modifies` clause or `reads` clause is added if the user
+has given one.
+
+- For every non-static non-ghost method that is not a "simple query method",
+inserts
+<!-- %no-check -->
+```dafny
+   requires Valid()
+   modifies Repr
+   ensures Valid() && fresh(Repr - old(Repr))
+```
+- At the end of the body of the method, inserts
+<!-- %no-check -->
+```dafny
+   if (A != null && !(A in Repr)) { Repr := Repr + {A}; }
+   if (F != null && !(F in Repr && F.Repr SUBSET Repr)) { Repr := Repr + {F} + F.Repr; }
+```
+- For every non-static non-twostate method that is either ghost or is a "simple query method",
+add:
+<!-- %no-check -->
+```dafny
+   requires Valid()
+```
+- For every non-static twostate method, inserts
+<!-- %no-check -->
+```dafny
+   requires old(Valid())
+```
+- For every non-"Valid" non-static function, inserts
+<!-- %no-check -->
+```dafny
+   requires Valid()
+   reads Repr
+```
+
+## 7.8. Well-formedness of specifications {#sec-well-formedness-specifications}
+
+Dafny ensures that the [`requires` clauses](#sec-requires-clause)
+and [`ensures` clauses](#sec-ensures-clause), which are expressions,
+are [well-formed](#sec-assertion-batches) independent of the body
+they belong to.
+Examples of conditions this rules out are null pointer dereferencing,
+out-of-bounds array access, and division by zero.
+Hence, when declaring the following method:
+
+<!-- %check-verify -->
+```dafny
+method Test(a: array<int>) returns (j: int)
+  requires a.Length >= 1
+  ensures a.Length % 2 == 0 ==> j >= 10 / a.Length
+{
+  j := 20;
+  var divisor := a.Length;
+  if divisor % 2 == 0 {
+    j := j / divisor;
+  }
+}
+```
+
+Dafny will split the verification in two [assertion batches](#sec-assertion-batches)
+that will roughly look like the following lemmas:
+
+<!-- %check-verify %options --allow-axioms -->
+```dafny
+lemma Test_WellFormed(a: array?<int>)
+{
+  assume a != null;       // From the definition of a
+  assert a != null;       // for the `requires a.Length >= 1`
+  assume a.Length >= 1;   // After well-formedness, we assume the requires
+  assert a != null;       // Again for the `a.Length % 2`
+  if a.Length % 2 == 0 {
+    assert a != null;     // Again for the final `a.Length`
+    assert a.Length != 0; // Because of the 10 / a.Length
+  }
+}
+
+method Test_Correctness(a: array?<int>)
+{ // Here we assume the well-formedness of the condition
+  assume a != null;       // for the `requires a.Length >= 1`
+  assume a != null;       // Again for the `a.Length % 2`
+  if a.Length % 2 == 0 {
+    assume a != null;     // Again for the final `a.Length`
+    assume a.Length != 0; // Because of the 10 / a.Length
+  }
+
+  // Now the body is translated
+  var j := 20;
+  assert a != null;          // For `var divisor := a.Length;`
+  var divisor := a.Length;
+  if * {
+    assume divisor % 2 == 0;
+    assert divisor != 0;
+    j := j / divisor;
+  }
+  assume divisor % 2 == 0 ==> divisor != 0;
+  assert a.Length % 2 == 0 ==> j >= 10 / a.Length;
+}
+```
+
+For this reason the IDE typically reports at least two [assertion batches](#sec-assertion-batches)
+when hovering a method.
diff --git a/v4.10.0/DafnyRef/Statements.1.expect b/v4.10.0/DafnyRef/Statements.1.expect
new file mode 100644
index 0000000..eaf07d9
--- /dev/null
+++ b/v4.10.0/DafnyRef/Statements.1.expect
@@ -0,0 +1,3 @@
+text.dfy(3,2): Error: cannot prove termination; try supplying a decreases clause for the loop
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Statements.10.expect b/v4.10.0/DafnyRef/Statements.10.expect
new file mode 100644
index 0000000..c19750c
--- /dev/null
+++ b/v4.10.0/DafnyRef/Statements.10.expect
@@ -0,0 +1,3 @@
+text.dfy(8,4): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Statements.13.expect b/v4.10.0/DafnyRef/Statements.13.expect
new file mode 100644
index 0000000..bb38528
--- /dev/null
+++ b/v4.10.0/DafnyRef/Statements.13.expect
@@ -0,0 +1,3 @@
+text.dfy(3,5): Warning: Could not find a trigger for this quantifier. Without a trigger, the quantifier may cause brittle verification. To silence this warning, add an explicit trigger using the {:trigger} attribute. For more information, see the section quantifier instantiation rules in the reference manual.
+
+Dafny program verifier did not attempt verification
diff --git a/v4.10.0/DafnyRef/Statements.14.expect b/v4.10.0/DafnyRef/Statements.14.expect
new file mode 100644
index 0000000..9932a32
--- /dev/null
+++ b/v4.10.0/DafnyRef/Statements.14.expect
@@ -0,0 +1,3 @@
+text.dfy(13,5): Warning: Could not find a trigger for this quantifier. Without a trigger, the quantifier may cause brittle verification. To silence this warning, add an explicit trigger using the {:trigger} attribute. For more information, see the section quantifier instantiation rules in the reference manual.
+
+Dafny program verifier did not attempt verification
diff --git a/v4.10.0/DafnyRef/Statements.15.expect b/v4.10.0/DafnyRef/Statements.15.expect
new file mode 100644
index 0000000..a6b281c
--- /dev/null
+++ b/v4.10.0/DafnyRef/Statements.15.expect
@@ -0,0 +1,3 @@
+text.dfy(6,2): Warning: this loop has no body (loop frame: i)
+
+Dafny program verifier did not attempt verification
diff --git a/v4.10.0/DafnyRef/Statements.16.expect b/v4.10.0/DafnyRef/Statements.16.expect
new file mode 100644
index 0000000..971d1af
--- /dev/null
+++ b/v4.10.0/DafnyRef/Statements.16.expect
@@ -0,0 +1,3 @@
+text.dfy(17,2): Error: assertion might not hold
+
+Dafny program verifier finished with 2 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Statements.2.expect b/v4.10.0/DafnyRef/Statements.2.expect
new file mode 100644
index 0000000..6e4c6ba
--- /dev/null
+++ b/v4.10.0/DafnyRef/Statements.2.expect
@@ -0,0 +1,6 @@
+text.dfy(12,2): Error: a postcondition could not be proved on this return path
+text.dfy(8,17): Related location: this is the postcondition that could not be proved
+text.dfy(27,2): Error: a postcondition could not be proved on this return path
+text.dfy(23,17): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 2 verified, 2 errors
diff --git a/v4.10.0/DafnyRef/Statements.3.expect b/v4.10.0/DafnyRef/Statements.3.expect
new file mode 100644
index 0000000..ce5fed0
--- /dev/null
+++ b/v4.10.0/DafnyRef/Statements.3.expect
@@ -0,0 +1,5 @@
+text.dfy(12,2): Warning: this loop has no body (loop frame: i, a, $Heap)
+text.dfy(16,2): Error: assertion might not hold
+text.dfy(18,2): Error: assertion might not hold
+
+Dafny program verifier finished with 1 verified, 2 errors
diff --git a/v4.10.0/DafnyRef/Statements.4.expect b/v4.10.0/DafnyRef/Statements.4.expect
new file mode 100644
index 0000000..ada0116
--- /dev/null
+++ b/v4.10.0/DafnyRef/Statements.4.expect
@@ -0,0 +1,3 @@
+
+Dafny program verifier finished with 0 verified, 0 errors
+x=Tree.Node(Tree.Node(Tree.Empty, 1, Tree.Empty), 2, Tree.Empty)
diff --git a/v4.10.0/DafnyRef/Statements.5.expect b/v4.10.0/DafnyRef/Statements.5.expect
new file mode 100644
index 0000000..ed0077a
--- /dev/null
+++ b/v4.10.0/DafnyRef/Statements.5.expect
@@ -0,0 +1,4 @@
+text.dfy(2,2): Error: assertion might not hold
+text.dfy(3,2): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 2 errors
diff --git a/v4.10.0/DafnyRef/Statements.6.expect b/v4.10.0/DafnyRef/Statements.6.expect
new file mode 100644
index 0000000..5d7469e
--- /dev/null
+++ b/v4.10.0/DafnyRef/Statements.6.expect
@@ -0,0 +1,3 @@
+text.dfy(2,2): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Statements.7.expect b/v4.10.0/DafnyRef/Statements.7.expect
new file mode 100644
index 0000000..5d7469e
--- /dev/null
+++ b/v4.10.0/DafnyRef/Statements.7.expect
@@ -0,0 +1,3 @@
+text.dfy(2,2): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Statements.8.expect b/v4.10.0/DafnyRef/Statements.8.expect
new file mode 100644
index 0000000..40664bd
--- /dev/null
+++ b/v4.10.0/DafnyRef/Statements.8.expect
@@ -0,0 +1,4 @@
+text.dfy(5,0): Error: a postcondition could not be proved on this return path
+text.dfy(4,12): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Statements.8b.expect b/v4.10.0/DafnyRef/Statements.8b.expect
new file mode 100644
index 0000000..0732822
--- /dev/null
+++ b/v4.10.0/DafnyRef/Statements.8b.expect
@@ -0,0 +1,4 @@
+text.dfy(6,13): Error: function precondition could not be proved
+text.dfy(3,30): Related location: this proposition could not be proved
+
+Dafny program verifier finished with 8 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Statements.9.expect b/v4.10.0/DafnyRef/Statements.9.expect
new file mode 100644
index 0000000..4bcfe07
--- /dev/null
+++ b/v4.10.0/DafnyRef/Statements.9.expect
@@ -0,0 +1,3 @@
+text.dfy(4,14): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Statements.md b/v4.10.0/DafnyRef/Statements.md
new file mode 100644
index 0000000..a47fc45
--- /dev/null
+++ b/v4.10.0/DafnyRef/Statements.md
@@ -0,0 +1,2502 @@
+# 8. Statements ([grammar](#g-statement)) {#sec-statements}
+
+Many of Dafny's statements are similar to those in traditional
+programming languages, but a number of them are significantly different.
+Dafny's various kinds of statements are described in subsequent sections.
+
+Statements have zero or more labels and end with either a semicolon (`;`) or a closing curly brace ('}').
+
+## 8.1. Labeled Statement ([grammar](#g-labeled-statement)) {#sec-labeled-statement}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+class A { var f: int }
+method m(a: A) {
+  label x:
+  while true {
+     if (*) { break x; }
+  }
+  a.f := 0;
+  label y:
+  a.f := 1;
+  assert old@y(a.f) == 1;
+}
+```
+
+A labeled statement is just 
+- the keyword `label` 
+- followed by an identifier, which is the label, 
+- followed by a colon 
+- and a statement. 
+
+The label may be
+referenced in a `break` or `continue` statement within the labeled statement
+(see [Section 8.14](#sec-break-continue-statement)). That is, the break or continue that
+mentions the label must be _enclosed_ in the labeled statement.
+
+The label may also be used in an `old` expression ([Section 9.22](#sec-old-expression)). In this case, the label
+must have been encountered during the control flow en route to the `old`
+expression. We say in this case that the (program point of the) label _dominates_
+the (program point of the) use of the label.
+Similarly, labels are used to indicate previous states in calls of [two-state predicates](#sec-two-state),
+[fresh expressions](#sec-fresh-expression), [unchanged expressions](#sec-unchanged-expression), 
+and [allocated expressions](#sec-allocated-expression).
+
+A statement can be given several labels. It makes no difference which of these
+labels is used to reference the statement---they are synonyms of each other.
+The labels must be distinct from each other, and are not allowed to be the
+same as any previous enclosing or [dominating label](#sec-two-state).
+
+## 8.2. Block Statement ([grammar](#g-block-statement)) {#sec-block-statement}
+
+Examples:
+<!-- %no-check -->
+```dafny
+{
+  print 0;
+  var x := 0;
+}
+```
+
+A block statement is a sequence of zero or more statements enclosed by curly braces.
+Local variables declared in the block end their scope at the end of the block.
+
+## 8.3. Return Statement ([grammar](#g-return-statement)) {#sec-return-statement}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+method m(i: int) returns (r: int) {
+  return i+1;
+}
+method n(i: int) returns (r: int, q: int) {
+  return i+1, i + 2;
+}
+method p() returns (i: int) {
+  i := 1;
+  return;
+}
+method q() {
+  return;
+}
+```
+  
+A return statement can only be used in a method. It is used
+to terminate the execution of the method.
+
+To return a value from a method, the value is assigned to one
+of the named out-parameters sometime before a return statement.
+In fact, the out-parameters act very much like local variables,
+and can be assigned to more than once. Return statements are
+used when one wants to return before reaching the end of the
+body block of the method.
+
+Return statements can be just the `return` keyword (where the current values
+of the out-parameters are used), or they can take a list of expressions to
+return. If a list is given, the number of expressions given must be the same
+as the number of named out-parameters. These expressions are
+evaluated, then they are assigned to the out-parameters, and then the
+method terminates.
+
+## 8.4. Yield Statement ([grammar](#g-yield-statement)) {#sec-yield-statement}
+
+A yield statement may only be used in an iterator.
+See [iterator types](#sec-iterator-types) for more details
+about iterators.
+
+The body of an iterator is a _co-routine_. It is used
+to yield control to its caller, signaling that a new
+set of values for the iterator's yield (out-)parameters (if any)
+are available. Values are assigned to the yield parameters
+at or before a yield statement.
+In fact, the yield parameters act very much like local variables,
+and can be assigned to more than once. Yield statements are
+used when one wants to return new yield parameter values
+to the caller. Yield statements can be just the
+`yield` keyword (where the current values of the yield parameters
+are used), or they can take a list of expressions to yield.
+If a list is given, the number of expressions given must be the
+same as the number of named iterator out-parameters.
+These expressions are then evaluated, then they are
+assigned to the yield parameters, and then the iterator
+yields.
+
+## 8.5. Update and Call Statements ([grammar](#g-update-and-call-statement)) {#sec-update-and-call-statement}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+class C { var f: int }
+class D {
+  var i: int
+  constructor(i: int) {
+    this.i := i;
+  }
+}
+method q(i: int, j: int) {}
+method r() returns (s: int, t: int) { return 2,3; }
+method m() {
+  var ss: int, tt: int, c: C?, a: array<int>, d: D?;
+  q(0,1);
+  ss, c.f := r();
+  c := new C;
+  d := new D(2);
+  a := new int[10];
+  ss, tt := 212, 33;
+  ss :| ss > 7;
+  ss := *;
+}
+```
+
+This statement corresponds to familiar assignment or method call statements,
+with variations. If more than one
+left-hand side is used, these must denote different l-values, unless the
+corresponding right-hand sides also denote the same value.
+
+The update statement serves several logical purposes.
+
+### 8.5.1. Method call with no out-parameters
+1) Examples of method calls take this form
+<!-- %no-check -->
+```dafny
+m();
+m(1,2,3) {:attr} ;
+e.f().g.m(45);
+```
+
+As there are no left-hand-side locations to receive values, this form is allowed only for 
+methods that have no out-parameters.
+
+### 8.5.2. Method call with out-parameters
+
+This form uses `:=` to denote the assignment of the out-parameters of the method to the 
+corresponding number of LHS values.
+<!-- %no-check -->
+```dafny
+a, b.e().f := m() {:attr};
+```
+
+In this case, the right-hand-side must be a method call and the number of
+left-hand sides must match the number of out-parameters of the
+method that is called.
+Note that the result of a method call is not allowed to be used as an argument of
+another method call, as if it were an expression.
+
+### 8.5.3. Parallel assignment
+
+A parallel-assignment has one-or-more right-hand-side expressions,
+which may be function calls but may not be method calls.
+<!-- %no-check -->
+```dafny
+    x, y := y, x;
+```
+The above example swaps the values of `x` and `y`. If more than one
+left-hand side is used, these must denote different l-values, unless the
+corresponding right-hand sides also denote the same value. There must
+be an equal number of left-hand sides and right-hand sides.
+The most common case has only one RHS and one LHS.
+
+### 8.5.4. Havoc assignment {#sec-havoc-statement}
+The form with a right-hand-side that is `*` is a _havoc_ assignment.
+It assigns an arbitrary but type-correct value to the corresponding left-hand-side.
+It can be mixed with other assignments of computed values.
+<!-- %no-check -->
+```dafny
+a := *;
+a, b, c := 4, *, 5;
+```
+
+### 8.5.5. Such-that assignment
+
+This form has one or more left-hand-sides, a `:|` symbol and then a boolean expression on the right.
+The effect is to assign values to the left-hand-sides that satisfy the 
+RHS condition.
+
+<!-- %no-check -->
+```dafny
+x, y :| 0 < x+y < 10;
+```
+This is read as assign values to `x` and `y` such that `0 < x+y < 10` is true.
+The given boolean expression need not constrain the LHS values uniquely:
+the choice of satisfying values is non-deterministic. 
+This can be used to make a choice as in the
+following example where we choose an element in a set.
+
+<!-- %check-verify -->
+```dafny
+method Sum(X: set<int>) returns (s: int)
+{
+  s := 0; var Y := X;
+  while Y != {}
+    decreases Y
+  {
+    var y: int;
+    y :| y in Y;
+    s, Y := s + y, Y - {y};
+  }
+}
+```
+
+Dafny will report an error if it cannot prove that values
+exist that satisfy the condition. 
+
+In this variation, with an `assume` keyword
+<!-- %no-check -->
+```dafny
+    y :| assume y in Y;
+```
+Dafny assumes without proof that an appropriate value exists.
+
+
+Note that the syntax
+
+```text
+    Lhs ":"
+```
+
+is interpreted as a label in which the user forgot the `label` keyword.
+
+### 8.5.6. Method call with a `by` proof
+
+The purpose of this form of a method call is to seperate the called method's
+precondition and its proof from the rest of the correctness proof of the
+calling method.
+
+<!-- %check-verify Statements.16.expect -->
+```dafny
+opaque predicate P() { true }
+
+lemma ProveP() ensures P() {
+  reveal P();
+}
+
+method M(i: int) returns (r: int)
+  requires P()
+  ensures r == i
+{ r := i; }
+
+method C() {
+  var v := M(1/3) by { // We prove 3 != 0 outside of the by proof
+    ProveP();          // Prove precondtion  
+  }
+  assert v == 0;       // Use postcondition
+  assert P();          // Fails
+}
+```
+
+By placing the call to lemma `ProveP` inside of the by block, we can not use
+`P` after the method call. The well-formedness checks of the arguments to the
+method call are not subject to the separation.
+
+## 8.6. Update with Failure Statement (`:-`) ([grammar](#g-update-with-failure-statement)) {#sec-update-with-failure-statement}
+
+See the subsections below for examples.
+
+A `:-`[^elephant] statement is an alternate form of the `:=` statement that allows for abrupt return if a failure is detected.
+This is a language feature somewhat analogous to exceptions in other languages.
+
+[^elephant]: The `:-` token is called the elephant symbol or operator.
+
+An update-with-failure statement uses _failure-compatible_ types.
+A failure-compatible type is a type that has the following (non-static) members (each with no in-parameters and one out-parameter):
+
+ * a non-ghost function `IsFailure()` that returns a `bool`
+ * an optional non-ghost function `PropagateFailure()` that returns a value assignable to the first out-parameter of the caller
+ * an optional function `Extract()`
+(PropagateFailure and Extract were permitted to be methods (but deprecated) prior to Dafny 4. They will be required to be functions in Dafny 4.)
+
+A failure-compatible type with an `Extract` member is called _value-carrying_.
+
+To use this form of update,
+
+ * if the RHS of the update-with-failure statement is a method call, the first out-parameter of the callee must be failure-compatible
+ * if instead, the RHS of the update-with-failure statement is one or more expressions, the first of these expressions must be a value with a failure-compatible type
+ * the caller must have a first out-parameter whose type matches the output of `PropagateFailure` applied to the first output of the callee, unless an
+`expect`, `assume`, or `assert` keyword is used after `:-` (cf. [Section 8.6.7](#sec-failure-return-keyword)).
+ * if the failure-compatible type of the RHS does not have an `Extract` member,
+then the LHS of the `:-` statement has one less expression than the RHS
+(or than the number of out-parameters from the method call), the value of the first out-parameter or expression being dropped
+(see the discussion and examples in [Section 8.6.2](#sec-simple-fc-return))
+ * if the failure-compatible type of the RHS does have an `Extract` member,
+then the LHS of the `:-` statement has the same number of expressions as the RHS
+(or as the number of out-parameters from the method call)
+and the type of the first LHS expression must be assignable from the return type of the `Extract` member
+* the `IsFailure` and `PropagateFailure` methods may not be ghost
+* the LHS expression assigned the output of the `Extract` member is ghost precisely if `Extract` is ghost
+
+The following subsections show various uses and alternatives.
+
+### 8.6.1. Failure compatible types {#sec-failure-compatible-types}
+
+A simple failure-compatible type is the following:
+<!-- %check-resolve %save Status.tmp -->
+```dafny
+datatype Status =
+| Success
+| Failure(error: string)
+{
+  predicate IsFailure() { this.Failure?  }
+  function PropagateFailure(): Status
+    requires IsFailure()
+  {
+    Failure(this.error)
+  }
+}
+```
+
+A commonly used alternative that carries some value information is something like this generic type:
+<!-- %check-resolve %save Outcome.tmp -->
+```dafny
+datatype Outcome<T> =
+| Success(value: T)
+| Failure(error: string)
+{
+  predicate IsFailure() {
+    this.Failure?
+  }
+  function PropagateFailure<U>(): Outcome<U>
+    requires IsFailure()
+  {
+    Failure(this.error) // this is Outcome<U>.Failure(...)
+  }
+  function Extract(): T
+    requires !IsFailure()
+  {
+    this.value
+  }
+}
+```
+
+
+### 8.6.2. Simple status return with no other outputs {#sec-simple-fc-return}
+
+The simplest use of this failure-return style of programming is to have a method call that just returns a non-value-carrying `Status` value:
+<!-- %check-resolve %use Status.tmp -->
+```dafny
+method Callee(i: int) returns (r: Status)
+{
+  if i < 0 { return Failure("negative"); }
+  return Success;
+}
+
+method Caller(i: int) returns (rr: Status)
+{
+  :- Callee(i);
+  ...
+}
+```
+
+Note that there is no LHS to the `:-` statement.
+If `Callee` returns `Failure`, then the caller immediately returns,
+not executing any statements following the call of `Callee`.
+The value returned by `Caller` (the value of `rr` in the code above) is the result of `PropagateFailure` applied to the value returned by `Callee`, which is often just the same value.
+If `Callee` does not return `Failure` (that is, returns a value for which `IsFailure()` is `false`)
+then that return value is forgotten and execution proceeds normally with the statements following the call of `Callee` in the body of `Caller`.
+
+The desugaring of the `:- Callee(i);` statement is
+<!-- %no-check -->
+```dafny
+var tmp;
+tmp := Callee(i);
+if tmp.IsFailure() {
+  rr := tmp.PropagateFailure();
+  return;
+}
+```
+In this and subsequent examples of desugaring, the `tmp` variable is a new, unique variable, unused elsewhere in the calling member.
+
+### 8.6.3. Status return with additional outputs {#sec-multiple-output-fc}
+
+The example in the previous subsection affects the program only through side effects or the status return itself.
+It may well be convenient to have additional out-parameters, as is allowed for `:=` updates;
+these out-parameters behave just as for `:=`.
+Here is an example:
+
+<!-- %check-resolve %use Status.tmp -->
+```dafny
+method Callee(i: int) returns (r: Status, v: int, w: int)
+{
+  if i < 0 { return Failure("negative"), 0, 0; }
+  return Success, i+i, i*i;
+}
+
+method Caller(i: int) returns (rr: Status, k: int)
+{
+  var j: int;
+  j, k :- Callee(i);
+  k := k + k;
+  ...
+}
+```
+
+Here `Callee` has two outputs in addition to the `Status` output.
+The LHS of the `:-` statement accordingly has two l-values to receive those outputs.
+The recipients of those outputs may be any sort of l-values;
+here they are a local variable and an out-parameter of the caller.
+Those outputs are assigned in the `:-` call regardless of the `Status` value:
+
+   * If `Callee` returns a failure value as its first output, then the other outputs are assigned, 
+the _caller's_ first out-parameter (here `rr`) is assigned the value of `PropagateFailure`, and the caller returns.
+   * If `Callee` returns a non-failure value as its first output, then the other outputs are assigned and the
+caller continues execution as normal.
+
+The desugaring of the `j, k :- Callee(i);` statement is
+<!-- %no-check -->
+```dafny
+var tmp;
+tmp, j, k := Callee(i);
+if tmp.IsFailure() {
+  rr := tmp.PropagateFailure();
+  return;
+}
+```
+
+
+### 8.6.4. Failure-returns with additional data {#sec-value-carrying}
+
+The failure-compatible return value can carry additional data as shown in the `Outcome<T>` example above.
+In this case there is a (first) LHS l-value to receive this additional data. The type of that first LHS
+value is one that is assignable from the result of the `Extract` function, not the actual first out-parameter.
+
+<!-- %check-resolve %use Outcome.tmp -->
+```dafny
+method Callee(i: int) returns (r: Outcome<nat>, v: int)
+{
+  if i < 0 { return Failure("negative"), i+i; }
+  return Success(i), i+i;
+}
+
+method Caller(i: int) returns (rr: Outcome<int>, k: int)
+{
+  var j: int;
+  j, k :- Callee(i);
+  k := k + k;
+  ...
+}
+```
+
+Suppose `Caller` is called with an argument of `10`.
+Then `Callee` is called with argument `10`
+and returns `r` and `v` of `Outcome<nat>.Success(10)` and `20`.
+Here `r.IsFailure()` is `false`, so control proceeds normally.
+The `j` is assigned the result of `r.Extract()`, which will be `10`,
+and `k` is assigned `20`.
+Control flow proceeds to the next line, where `k` now gets the value `40`.
+
+Suppose instead that `Caller` is called with an argument of `-1`.
+Then `Callee` is called with the value `-1`
+ and returns `r` and `v` with values `Outcome<nat>.Failure("negative")` and `-2`.
+`k` is assigned the value of `v` (-2).
+But `r.IsFailure()` is `true`, so control proceeds directly to return from `Caller`.
+The first out-parameter of `Caller` (`rr`) gets the value of `r.PropagateFailure()`,
+which is `Outcome<int>.Failure("negative")`; `k` already has the value `-2`.
+The rest of the body of `Caller` is skipped.
+In this example, the first out-parameter of `Caller` has a failure-compatible type
+so the exceptional return will propagate up the call stack.
+It will keep propagating up the call stack
+as long as there are callers with this first special output type
+and calls that use `:-`
+and the return value keeps having `IsFailure()` true.
+
+The desugaring of the `j, k :- Callee(i);` statement in this example is
+<!-- %no-check -->
+```dafny
+var tmp;
+tmp, k := Callee(i);
+if tmp.IsFailure() {
+  rr := tmp.PropagateFailure();
+  return;
+}
+j := tmp.Extract();
+```
+
+### 8.6.5. RHS with expression list {#sec-failure-expressions}
+
+Instead of a failure-returning method call on the RHS of the statement,
+the RHS can instead be a list of expressions.
+As for a `:=` statement, in this form, the expressions on the left and right sides of `:-` must correspond,
+just omitting a LHS l-value for the first RHS expression if its type is not value-carrying.
+The semantics is very similar to that in the previous subsection.
+
+ * The first RHS expression must have a failure-compatible type.
+ * All the assignments of RHS expressions to LHS values except for the first RHS value are made.
+ * If the first RHS value (say `r`) responds `true` to `r.IsFailure()`,
+then `r.PropagateFailure()` is assigned to the first out-parameter of the _caller_
+and the execution of the caller's body is ended.
+ * If the first RHS value (say `r`) responds `false` to `r.IsFailure()`, then
+   * if the type of `r` is value-carrying, then `r.Extract()` is assigned to the first LHS value of the `:-` statement;
+if `r` is not value-carrying, then the corresponding LHS l-value is omitted
+   * execution of the caller's body continues with the statement following the `:-` statement.
+
+A RHS with a method call cannot be mixed with a RHS containing multiple expressions.
+
+For example, the desugaring of
+<!-- %check-resolve %use Status.tmp -->
+```dafny
+method m(r: Status) returns (rr: Status) {
+  var k;
+  k :- r, 7;
+  ...
+}
+```
+is
+<!-- %no-check -->
+```dafny
+var k;
+var tmp;
+tmp, k := r, 7;
+if tmp.IsFailure() {
+  rr := tmp.PropagateFailure();
+  return;
+}
+```
+### 8.6.6. Failure with initialized declaration. {#sec-failure-with-declaration}
+
+The `:-` syntax can also be used in initialization, as in
+<!-- %no-check -->
+```dafny
+var s, t :- M();
+```
+This is equivalent to
+<!-- %no-check -->
+```dafny
+var s, t;
+s, t :- M();
+```
+with the semantics as described above.
+
+### 8.6.7. Keyword alternative {#sec-failure-return-keyword}
+
+In any of the above described uses of `:-`, the `:-` token may be followed immediately by the keyword `expect`, `assert` or `assume`.
+
+* `assert` means that the RHS evaluation is expected to be successful, but that
+the verifier should prove that this is so; that is, the verifier should prove
+`assert !r.IsFailure()` (where `r` is the status return from the callee)
+(cf. [Section 8.17](#sec-assert-statement))
+* `assume` means that the RHS evaluation should be assumed to be successful,
+as if the statement `assume !r.IsFailure()` followed the evaluation of the RHS
+(cf. [Section 8.18](#sec-assume-statement))
+* `expect` means that the RHS evaluation should be assumed to be successful
+(like using `assume` above), but that the compiler should include a
+run-time check for success. This is equivalent to including
+`expect !r.IsFailure()` after the RHS evaluation; that is, if the status
+return is a failure, the program halts.
+(cf. [Section 8.19](#sec-expect-statement))
+
+In each of these cases, there is no abrupt return from the caller. Thus
+there is no evaluation of `PropagateFailure`. Consequently the first
+out-parameter of the caller need not match the return type of
+`PropagateFailure`; indeed, the failure-compatible type returned by the
+callee need not have a `PropagateFailure` member.
+
+The equivalent desugaring replaces
+<!-- %no-check -->
+```dafny
+if tmp.IsFailure() {
+  rr := tmp.PropagateFailure();
+  return;
+}
+```
+with
+<!-- %no-check -->
+```dafny
+expect !tmp.IsFailure(), tmp;
+```
+or
+<!-- %no-check -->
+```dafny
+assert !tmp.IsFailure();
+```
+or
+<!-- %no-check -->
+```dafny
+assume !tmp.IsFailure();
+```
+
+There is a grammatical nuance that the user should be aware of.
+The keywords `assert`, `assume`, and `expect` can start an expression.
+For example, `assert P; E` can be an expression. However, in
+`e :- assert P; E;` the `assert` is parsed as the keyword associated with
+`:-`. To have the `assert` considered part of the expression use parentheses:
+`e :- (assert P; E);`.
+
+### 8.6.8. Key points
+
+There are several points to note.
+
+* The first out-parameter of the callee is special.
+  It has a special type and that type indicates that the value is inspected to see if an abrupt return
+  from the caller is warranted.
+  This type is often a datatype, as shown in the examples above, but it may be any type with the appropriate members.
+* The restriction on the type of caller's first out-parameter is
+  just that it must be possible (perhaps through generic instantiation and type inference, as in these examples) 
+  for `PropagateFailure` applied to the failure-compatible output from the callee to produce a value of 
+  the caller's first out-parameter type.
+  If the caller's first out-parameter type is failure-compatible (which it need not be),
+  then failures can be propagated up the call chain.
+  If the keyword form (e.g. `assume`) of the statement is used, then no `PropagateFailure` member
+  is needed, because no failure can occur, and there is no restriction on the caller's first out-parameter.
+* In the statement `j, k :- Callee(i);`,
+  when the callee's return value has an `Extract` member,
+  the type of `j` is not the type of the first out-parameter of `Callee`.
+  Rather it is a type assignable from the output type of `Extract` applied to the first out-value of `Callee`.
+* A method like `Callee` with a special first out-parameter type can still be used in the normal way:
+  `r, k := Callee(i)`.
+  Now `r` gets the first output value from `Callee`, of type `Status` or `Outcome<nat>` in the examples above.
+  No special semantics or exceptional control paths apply.
+  Subsequent code can do its own testing of the value of `r`
+  and whatever other computations or control flow are desired.
+* The caller and callee can have any (positive) number of output arguments,
+  as long as the callee's first out-parameter has a failure-compatible type
+  and the caller's first out-parameter type matches `PropagateFailure`.
+* If there is more than one LHS, the LHSs must denote different l-values, 
+  unless the RHS is a list of expressions and the corresponding RHS values are equal.
+* The LHS l-values are evaluated before the RHS method call,
+  in case the method call has side-effects or return values that modify the l-values prior to assignments being made.
+
+It is important to note the connection between the failure-compatible types used in the caller and callee,
+if they both use them.
+They do not have to be the same type, but they must be closely related,
+as it must be possible for the callee's `PropagateFailure` to return a value of the caller's failure-compatible type.
+In practice this means that one such failure-compatible type should be used for an entire program.
+If a Dafny program uses a library shared by multiple programs, the library should supply such a type 
+and it should be used by all the client programs (and, effectively, all Dafny libraries).
+It is also the case that it is inconvenient to mix types such as `Outcome` and `Status` above within the same program.
+If there is a mix of failure-compatible types, then the program will need to use `:=` statements and code for
+explicit handling of failure values.
+
+
+### 8.6.9. Failure returns and exceptions {#sec-failure-return-and-exceptions}
+
+The `:-` mechanism is like the exceptions used in other programming languages, with some similarities and differences.
+
+ * There is essentially just one kind of 'exception' in Dafny,
+the variations of the failure-compatible data type.
+ * Exceptions are passed up the call stack whether or not intervening methods are aware of the possibility of an exception,
+that is, whether or not the intervening methods have declared that they throw exceptions.
+Not so in Dafny: a failure is passed up the call stack only if each caller has a failure-compatible first out-parameter, is itself called in a `:-` statement, and returns a value that responds true to `IsFailure()`.
+ * All methods that contain failure-return callees must explicitly handle those failures
+using either `:-` statements or using `:=` statements with a LHS to receive the failure value.
+
+## 8.7. Variable Declaration Statement ([grammar](#g-variable-declaration-statement)) {#sec-variable-declaration-statement}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+method m() {
+  var x, y: int; // x's type is inferred, not necessarily 'int'
+  var b: bool, k: int;
+  x := 1; // settles x's type
+}
+```
+
+A variable declaration statement is used to declare one or more local variables in
+a method or function. The type of each local variable must be given
+unless its type can be inferred, either from a given initial value, or
+from other uses of the variable. If initial values are given, the number
+of values must match the number of variables declared.
+
+The scope of the declared variable extends to the end of the block in which it is
+declared. However, be aware that if a simple variable declaration is followed
+by an expression (rather than a subsequent statement) then the `var` begins a
+[Let Expression](#sec-let-expression) and the scope of the introduced variables is
+only to the end of the expression. In this case, though, the `var` is in an expression
+context, not a statement context.
+
+Note that the type of each variable must be given individually. The following code
+
+<!-- %no-check -->
+```dafny
+var x, y : int;
+var x, y := 5, 6;
+var x, y :- m();
+var x, y :| 0 < x + y < 10;
+var (x, y) := makePair();
+var Cons(x, y) = ConsMaker();
+```
+does not declare both `x` and `y` to be of type `int`. Rather it will give an
+error explaining that the type of `x` is underspecified if it cannot be
+inferred from uses of x.
+
+The variables can be initialized with syntax similar to update statements (cf. [Section 8.5](#sec-update-and-call-statement)).
+
+If the RHS is a call, then any variable receiving the value of a
+formal ghost out-parameter will automatically be declared as ghost, even
+if the `ghost` keyword is not part of the variable declaration statement.
+
+The left-hand side can also contain a tuple of patterns that will be
+matched against the right-hand-side. For example:
+
+<!-- %check-resolve -->
+```dafny
+function returnsTuple() : (int, int)
+{
+    (5, 10)
+}
+
+function usesTuple() : int
+{
+    var (x, y) := returnsTuple();
+    x + y
+}
+```
+
+The initialization with failure operator `:-` returns from the enclosing method if the initializer evaluates to a failure value of a failure-compatible type (see [Section 8.6](#sec-update-with-failure-statement)).
+
+## 8.8. Guards ([grammar](#g-guard)) {#sec-guard}
+
+Examples (in `if` statements):
+<!-- %check-resolve -->
+```dafny
+method m(i: int) {
+  if (*) { print i; }
+  if i > 0 { print i; }
+}
+```
+
+Guards are used in `if` and `while` statements as boolean expressions. Guards
+take two forms.
+
+The first and most common form is just a boolean expression.
+
+The second form is either `*` or `(*)`. These have the same meaning. An
+unspecified boolean value is returned. The value returned
+may be different each time it is executed.
+
+## 8.9. Binding Guards ([grammar](#g-binding-guard)) {#sec-binding-guards}
+
+Examples (in `if` statements):
+<!-- %check-resolve-warn Statements.13.expect -->
+```dafny
+method m(i: int) {
+  ghost var k: int;
+  if i, j :| 0 < i+j < 10 {
+    k := 0;
+  } else {
+    k := 1;
+  }
+}
+```
+
+An `if` statement can also take a _binding guard_.
+Such a guard checks if there exist values for the given variables that satisfy the given expression.
+If so, it binds some satisfying values to the variables and proceeds
+into the "then" branch; otherwise it proceeds with the "else" branch,
+where the bound variables are not in scope.
+
+In other words, the statement
+
+<!-- %no-check -->
+```dafny
+if x :| P { S } else { T }
+```
+
+has the same meaning as
+
+<!-- %no-check -->
+```dafny
+if exists x :: P { var x :| P; S } else { T }
+```
+
+The identifiers bound by the binding guard are ghost variables
+and cannot be assigned to non-ghost variables. They are only
+used in specification contexts.
+
+Here is another example:
+
+<!-- %check-verify -->
+```dafny
+predicate P(n: int)
+{
+  n % 2 == 0
+}
+
+method M1() returns (ghost y: int)
+    requires exists x :: P(x)
+    ensures P(y)
+{
+  if x : int :| P(x) {
+      y := x;
+  }
+}
+```
+
+## 8.10. If Statement ([grammar](#g-if-statement)) {#sec-if-statement}
+
+Examples:
+<!-- %check-resolve-warn Statements.14.expect -->
+```dafny
+method m(i: int) {
+  var x: int;
+  if i > 0 {
+    x := i;
+  } else {
+    x := -i;
+  }
+  if * {
+    x := i;
+  } else {
+    x := -i;
+  }
+  if i: nat, j: nat :| i+j<10 {
+    assert i < 10;
+  }
+  if i == 0 {
+    x := 0;
+  } else if i > 0 {
+    x := 1;
+  } else {
+    x := -1;
+  }
+  if 
+    case i == 0 => x := 0;
+    case i > 0 => x := 1;
+    case i < 0 => x := -1;
+}
+```
+
+The simplest form of an `if` statement uses a guard that is a boolean
+expression. For example,
+
+<!-- %no-check -->
+```dafny
+  if x < 0 {
+    x := -x;
+  }
+```
+
+Unlike `match` statements, `if` statements do not have to be exhaustive:
+omitting the `else` block is the same as including an empty `else`
+block.  To ensure that an `if` statement is exhaustive, use the
+`if-case` statement documented below.
+
+If the guard is an asterisk then a non-deterministic choice is made:
+
+<!-- %no-check -->
+```dafny
+  if * {
+    print "True";
+  } else {
+    print "False";
+  }
+```
+
+The then alternative of the if-statement must be a block statement;
+the else alternative may be either a block statement or another if statement.
+The condition of the if statement need not (but may) be enclosed in parentheses.
+
+An if statement with a binding guard is non-deterministic;
+it will not be compiled if `--enforce-determinism` is enabled
+(even if it can be proved that there is a unique value).
+An if statement with `*` for a guard is non-deterministic and ghost.
+
+The `if-case` statement using the `AlternativeBlock` form is similar to the
+`if ... fi` construct used in the book "A Discipline of Programming" by
+Edsger W. Dijkstra. It is used for a multi-branch `if`.
+
+For example:
+<!-- %check-resolve -->
+```dafny
+method m(x: int, y: int) returns (max: int) 
+{
+  if {
+    case x <= y => max := y;
+    case y <= x => max := x;
+  }
+}
+```
+
+In this form, the expressions following the `case` keyword are called
+_guards_. The statement is evaluated by evaluating the guards in an
+undetermined order until one is found that is `true` and the statements
+to the right of `=>` for that guard are executed. The statement requires
+at least one of the guards to evaluate to `true` (that is, `if-case`
+statements must be exhaustive: the guards must cover all cases).
+
+In the if-with-cases, a sequence of statements may follow the `=>`; it
+may but need not be a block statement (a brace-enclosed sequence of statements).
+
+The form that used `...` (a refinement feature) as the guard is deprecated.
+
+## 8.11. Match Statement ([grammar](#g-match-statement)) {#sec-match-statement}
+
+Examples:
+<!-- %no-check -->
+```dafny
+
+match list {
+  case Nil => {}
+  case Cons(head,tail) => print head;
+}
+match x
+case 1 =>
+  print x;
+case 2 =>
+  var y := x*x;
+  print y;
+case _ =>
+  print "Other";
+  // Any statement after is captured in this case.
+```
+
+The `match` statement is used to do case analysis on a value of an expression.
+The expression may be a value of a basic type (e.g. `int`), a newtype, or
+an inductive or coinductive datatype (which includes the built-in tuple types). 
+The expression after the `match` keyword is called the _selector_. 
+The selector is evaluated and then matched against
+each clause in order until a matching clause is found.
+
+The process of matching the selector expression against the case patterns is
+the same as for match expressions and is described in
+[Section 9.31.2](#sec-case-pattern).
+
+The selector need not be enclosed in parentheses; the sequence of cases may but need not be enclosed in braces.
+The cases need not be disjoint.
+The cases must be exhaustive, but you can use a wild variable (`_`) or a simple identifier to indicate "match anything".
+Please refer to the [section about case patterns](#sec-case-pattern) to learn more about shadowing, constants, etc.
+
+The code below shows an example of a match statement.
+
+<!-- %check-resolve -->
+```dafny
+datatype Tree = Empty | Node(left: Tree, data: int, right: Tree)
+
+// Return the sum of the data in a tree.
+method Sum(x: Tree) returns (r: int)
+{
+  match x {
+    case Empty => r := 0;
+    case Node(t1, d, t2) =>
+      var v1 := Sum(t1);
+      var v2 := Sum(t2);
+      r := v1 + d + v2;
+  }
+}
+```
+
+Note that the `Sum` method is recursive yet has no `decreases` annotation.
+In this case it is not needed because Dafny is able to deduce that
+`t1` and `t2` are _smaller_ (structurally) than `x`. If `Tree` had been
+coinductive this would not have been possible since `x` might have been
+infinite.
+
+## 8.12. While Statement ([grammar](#g-while-statement)) {#sec-while-statement}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+method m() {
+  var i := 10;
+  while 0 < i
+    invariant 0 <= i <= 10
+    decreases i
+  {
+    i := i-1;
+  }
+  while * {}
+  i := *;
+  while 
+     decreases if i < 0 then -i else i
+  {
+     case i < 0 => i := i + 1;
+     case i > 0 => i := i - 1;
+  }
+}
+```
+
+Loops
+- may be a conventional loop with a condition and a block statement for a body
+- need not have parentheses around the condition
+- may have a `*` for the condition (the loop is then non-deterministic)
+- binding guards are not allowed
+- may have a case-based structure
+- may have no body --- a bodyless loop is not compilable, but can be reaosnaed about
+
+Importantly, loops need _loop specifications_ in order for Dafny to prove that
+they obey expected behavior. In some cases Dafny can infer the loop specifications by analyzing the code,
+so the loop specifications need not always be explicit.
+These specifications are described in [Section 7.6](#sec-loop-specification) and [Section 8.15](#sec-loop-specifications).
+
+The general loop statement in Dafny is the familiar `while` statement.
+It has two general forms.
+
+The first form is similar to a while loop in a C-like language. For
+example:
+
+<!-- %check-resolve -->
+```dafny
+method m(){
+  var i := 0;
+  while i < 5 {
+    i := i + 1;
+  }
+}
+```
+
+In this form, the condition following the `while` is one of these:
+
+* A boolean expression. If true it means execute one more
+iteration of the loop. If false then terminate the loop.
+* An asterisk (`*`), meaning non-deterministically yield either
+`true` or `false` as the value of the condition
+
+The _body_ of the loop is usually a block statement, but it can also
+be missing altogether.
+A loop with a missing body may still pass verification, but any attempt
+to compile the containing program will result in an error message.
+When verifying a loop with a missing body, the verifier will skip attempts
+to prove loop invariants and decreases assertions that would normally be
+asserted at the end of the loop body.
+There is more discussion about bodyless loops in [Section 8.15.4](#sec-bodyless-constructs).
+
+The second form uses a case-based block. It is similar to the
+`do ... od` construct used in the book "A Discipline of Programming" by
+Edsger W. Dijkstra. For example:
+
+<!-- %check-verify -->
+```dafny
+method m(n: int){
+  var r := n;
+  while
+    decreases if 0 <= r then r else -r
+  {
+    case r < 0 =>
+      r := r + 1;
+    case 0 < r =>
+      r := r - 1;
+  }
+}
+```
+For this form, the guards are evaluated in some undetermined order
+until one is found that is true, in which case the corresponding statements
+are executed and the while statement is repeated.
+If none of the guards evaluates to true, then the
+loop execution is terminated.
+
+The form that used `...` (a refinement feature) as the guard is deprecated.
+
+## 8.13. For Loops ([grammar](#g-for-statement)) {#sec-for-statement}
+
+Examples:
+<!-- %check-resolve-warn Statements.15.expect -->
+```dafny
+method m() decreases * {
+  for i := 0 to 10 {}
+  for _ := 0 to 10 {}
+  for i := 0 to * invariant i >= 0 decreases * {}
+  for i: int := 10 downto 0 {}
+  for i: int := 10 downto 0 
+}
+```
+The `for` statement provides a convenient way to write some common loops.
+
+The statement introduces a local variable with optional type, which is called
+the _loop index_. The loop index is in scope in the specification and the body,
+but not after the `for` loop. Assignments to the loop index are not allowed.
+The type of the loop index can typically be inferred; if so, it need not be given
+explicitly. If the identifier is not used, it can be written as `_`, as illustrated
+in this repeat-20-times loop:
+<!-- %no-check -->
+```dafny
+for _ := 0 to 20 {
+  Body
+}
+```
+
+There are four basic variations of the `for` loop:
+<!-- %no-check -->
+```dafny
+for i: T := lo to hi
+  LoopSpec
+{ Body }
+
+for i: T := hi downto lo
+  LoopSpec
+{ Body }
+
+for i: T := lo to *
+  LoopSpec
+{ Body }
+
+for i: T := hi downto *
+  LoopSpec
+{ Body }
+```
+Semantically, they are defined as the following respective `while` loops:
+<!-- %no-check -->
+```dafny
+{
+  var _lo, _hi := lo, hi;
+  assert _lo <= _hi && forall _i: int :: _lo <= _i <= _hi ==> _i is T;
+  var i := _lo;
+  while i != _hi
+    invariant _lo <= i <= _hi
+    LoopSpec
+    decreases _hi - i
+  {
+    Body
+    i := i + 1;
+  }
+}
+
+{
+  var _lo, _hi := lo, hi;
+  assert _lo <= _hi && forall _i: int :: _lo <= _i <= _hi ==> _i is T;
+  var i := _hi;
+  while i != lo
+    invariant _lo <= i <= _hi
+    LoopSpec
+    decreases i - _lo
+  {
+    i := i - 1;
+    Body
+  }
+}
+
+{
+  var _lo := lo;
+  assert forall _i: int :: _lo <= _i ==> _i is T;
+  var i := _lo;
+  while true
+    invariant _lo <= i
+    LoopSpec
+  {
+    Body
+    i := i + 1;
+  }
+}
+
+{
+  var _hi := hi;
+  assert forall _i: int :: _i <= _hi ==> _i is T;
+  var i := _hi;
+  while true
+    invariant i <= _hi
+    LoopSpec
+  {
+    i := i - 1;
+    Body
+  }
+}
+```
+
+The expressions `lo` and `hi` are evaluated just once, before the loop
+iterations start.
+
+Also, in all variations the values of `i` in the body are the values
+from `lo` to, _but not including_, `hi`. This makes it convenient to
+write common loops, including these:
+
+<!-- %no-check -->
+```dafny
+for i := 0 to a.Length {
+  Process(a[i]);
+}
+for i := a.Length downto 0 {
+  Process(a[i]);
+}
+```
+Nevertheless, `hi` must be a legal value for the type of the index variable,
+since that is how the index variable is used in the invariant.
+
+If the end-expression is not `*`, then no explicit `decreases` is
+allowed, since such a loop is already known to terminate.
+If the end-expression is `*`, then the absence of an explicit `decreases`
+clause makes it default to `decreases *`. So, if the end-expression is `*` and no
+explicit `decreases` clause is given, the loop is allowed only in methods
+that are declared with `decreases *`.
+
+The directions `to` or `downto` are contextual keywords. That is, these two
+words are part of the syntax of the `for` loop, but they are not reserved
+keywords elsewhere.
+
+Just like for while loops, the body of a for-loop may be omitted during
+verification. This suppresses attempts to check assertions (like invariants)
+that would occur at the end of the loop. Eventually, however a body must
+be provided; the compiler will not compile a method containing a body-less
+for-loop. There is more discussion about bodyless loops in [Section 8.15.4](#sec-bodyless-constructs).
+
+## 8.14. Break and Continue Statements ([grammar](#g-break-continue-statement)) {#sec-break-continue-statement}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+class A { var f: int }
+method m(a: A) {
+  label x:
+  while true {
+    if (*) { break; }
+  }
+  label y: {
+    var z := 1;
+    if * { break y; }
+    z := 2;
+  }
+
+}
+```
+
+Break and continue statements provide a means to transfer control
+in a way different than the usual nested control structures.
+There are two forms of each of these statements: with and without a label.
+
+If a label is used, the break or continue statement must be enclosed in a statement
+with that label. The enclosing statement is called the _target_ of the break
+or continue.
+
+A `break` statement transfers control to the point immediately
+following the target statement. For example, such a break statement can be
+used to exit a sequence of statements in a block statement before
+reaching the end of the block.
+
+For example,
+<!-- %no-check -->
+```dafny
+label L: {
+  var n := ReadNext();
+  if n < 0 {
+    break L;
+  }
+  DoSomething(n);
+}
+```
+is equivalent to
+<!-- %no-check -->
+```dafny
+{
+  var n := ReadNext();
+  if 0 <= n {
+    DoSomething(n);
+  }
+}
+```
+
+If no label is specified and the statement lists `n`
+occurrences of `break`, then the statement must be enclosed in
+at least `n` levels of loop statements. Control continues after exiting `n`
+enclosing loops. For example,
+
+<!-- %check-resolve -->
+```dafny
+method m() {
+  for i := 0 to 10 {
+    for j := 0 to 10 {
+      label X: {
+        for k := 0 to 10 {
+          if j + k == 15 {
+            break break;
+          }
+        }
+      }
+    }
+    // control continues here after the "break break", exiting two loops
+  }
+}
+```
+
+Note that a non-labeled `break` pays attention only to loops, not to labeled
+statements. For example, the labeled block `X` in the previous example
+does not play a role in determining the target statement of the `break break;`.
+
+For a `continue` statement, the target statement must be a loop statement.
+The continue statement transfers control to the point immediately
+before the closing curly-brace of the loop body.
+
+For example,
+<!-- %check-resolve -->
+```dafny
+method m() {
+  for i := 0 to 100 {
+    if i == 17 {
+      continue;
+    }
+    DoSomething(i);
+  }
+}
+method DoSomething(i:int){}
+```
+is equivalent to
+<!-- %check-resolve -->
+```dafny
+method m() {
+  for i := 0 to 100 {
+    if i != 17 {
+      DoSomething(i);
+    }
+  }
+}
+method DoSomething(i:int){}
+```
+The same effect can also be obtained by wrapping the loop body in a labeled
+block statement and then using `break` with a label, but that usually makes
+for a more cluttered program:
+<!-- %check-resolve -->
+```dafny
+method m() {
+  for i := 0 to 100 {
+    label LoopBody: {
+      if i == 17 {
+        break LoopBody;
+      }
+      DoSomething(i);
+    }
+  }
+}
+method DoSomething(i:int){}
+```
+
+Stated differently, `continue` has the effect of ending the current loop iteration,
+after which control continues with any remaining iterations. This is most natural
+for `for` loops. For a `while` loop, be careful to make progress toward termination
+before a `continue` statement. For example, the following program snippet shows
+an easy mistake to make (the verifier will complain that the loop may not terminate):
+
+<!-- %check-verify Statements.1.expect -->
+```dafny
+method m() {
+  var i := 0;
+  while i < 100 {
+    if i == 17 {
+      continue; // error: this would cause an infinite loop
+    }
+    DoSomething(i);
+    i := i + 1;
+  }
+}
+method DoSomething(i:int){}
+```
+
+The `continue` statement can give a label, provided the label is a label of a loop.
+For example,
+
+<!-- %check-resolve -->
+```dafny
+method m() {
+  label Outer:
+  for i := 0 to 100 {
+    for j := 0 to 100 {
+      if i + j == 19 {
+        continue Outer;
+      }
+      WorkIt(i, j);
+    }
+    PostProcess(i);
+    // the "continue Outer" statement above transfers control to here
+  }
+}
+method WorkIt(i:int, j:int){}
+method PostProcess(i:int){}
+```
+
+If a non-labeled continue statement lists `n` occurrences of `break` before the
+`continue` keyword, then the statement must be enclosed in at least `n + 1` levels
+of loop statements. The effect is to `break` out of the `n` most closely enclosing
+loops and then `continue` the iterations of the next loop. That is, `n` occurrences
+of `break` followed by one more `break;` will break out of `n` levels of loops
+and then do a `break`, whereas `n` occurrences of `break` followed by `continue;`
+will break out of `n` levels of loops and then do a `continue`.
+
+For example, the `WorkIt` example above can equivalently be written without labels
+as
+<!-- %check-resolve -->
+```dafny
+method m() {
+  for i := 0 to 100 {
+    for j := 0 to 100 {
+      if i + j == 19 {
+        break continue;
+      }
+      WorkIt(i, j);
+    }
+    PostProcess(i);
+    // the "break continue" statement above transfers control to here
+  }
+}
+method WorkIt(i:int, j:int){}
+method PostProcess(i:int){}
+```
+
+Note that a loop invariant is checked on entry to a loop and at the closing curly-brace
+of the loop body. It is not checked at break statements. For continue statements, 
+the loop invariant is checked as usual at the closing curly-brace
+that the continue statement jumps to.
+This checking ensures that the loop invariant holds at the very top of
+every iteration. Commonly, the only exit out of a loop happens when the loop guard evaluates
+to `false`. Since no state is changed between the top of an iteration (where the loop
+invariant is known to hold) and the evaluation of the loop guard, one can also rely on
+the loop invariant to hold immediately following the loop. But the loop invariant may
+not hold immediately following a loop if a loop iteration changes the program state and
+then exits the loop with a break statement.
+
+For example, the following program verifies:
+<!-- %check-verify -->
+```dafny
+method m() {
+  var i := 0;
+  while i < 10
+    invariant 0 <= i <= 10
+  {
+    if P(i) {
+      i := i + 200;
+      break;
+    }
+    i := i + 1;
+  }
+  assert i == 10 || 200 <= i < 210;
+}
+predicate P(i:int)
+```
+To explain the example, the loop invariant `0 <= i <= 10` is known to hold at the very top
+of each iteration,
+that is, just before the loop guard `i < 10` is evaluated. If the loop guard evaluates
+to `false`, then the negated guard condition (`10 <= i`) and the invariant hold, so
+`i == 10` will hold immediately after the loop. If the loop guard evaluates to `true`
+(that is, `i < 10` holds), then the loop body is entered. If the test `P(i)` then evaluates
+to `true`, the loop adds `200` to `i` and breaks out of the loop, so on such a
+path, `200 <= i < 210` is known to hold immediately after the loop. This is summarized
+in the assert statement in the example.
+So, remember, a loop invariant holds at the very top of every iteration, not necessarily
+immediately after the loop.
+
+## 8.15. Loop Specifications {#sec-loop-specifications}
+For some simple loops, such as those mentioned previously, Dafny can figure
+out what the loop is doing without more help. However, in general the user
+must provide more information in order to help Dafny prove the effect of
+the loop. This information is provided by a _loop specification_. A
+loop specification provides information about invariants, termination, and
+what the loop modifies.
+For additional tutorial information see [@KoenigLeino:MOD2011] or the
+[online Dafny tutorial](../OnlineTutorial/guide).
+
+### 8.15.1. Loop invariants {#sec-loop-invariants}
+
+Loops present a problem for specification-based reasoning. There is no way to
+know in advance how many times the code will go around the loop and
+a tool cannot reason about every one of a possibly unbounded sequence of unrollings.
+In order to consider all paths through a program, specification-based
+program verification tools require loop invariants, which are another kind of
+annotation.
+
+A loop invariant is an expression that holds just prior to the loop test,
+that is, upon entering a loop and
+after every execution of the loop body. It captures something that is
+invariant, i.e. does not change, about every step of the loop. Now,
+obviously we are going to want to change variables, etc. each time around
+the loop, or we wouldn't need the loop. Like pre- and postconditions, an
+invariant is a property that is preserved for each execution of the loop,
+expressed using the same boolean expressions we have seen. For example,
+
+<!-- %no-check -->
+```dafny
+var i := 0;
+while i < n
+  invariant 0 <= i
+{
+  i := i + 1;
+}
+```
+
+When you specify an invariant, Dafny proves two things: the invariant
+holds upon entering the loop, and it is preserved by the loop. By
+preserved, we mean that assuming that the invariant holds at the
+beginning of the loop (just prior to the loop test), we must show that executing the loop body once
+makes the invariant hold again. Dafny can only know upon analyzing the
+loop body what the invariants say, in addition to the loop guard (the
+loop condition). Just as Dafny will not discover properties of a method
+on its own, it will not know that any but the most basic properties of a loop
+are preserved unless it is told via an invariant.
+
+### 8.15.2. Loop termination {#sec-loop-termination}
+
+Dafny proves that code terminates, i.e. does not loop forever, by using
+`decreases` annotations. For many things, Dafny is able to guess the right
+annotations, but sometimes it needs to be made explicit.
+There are two places Dafny proves termination: loops and recursion.
+Both of these situations require either an explicit annotation or a
+correct guess by Dafny.
+
+A `decreases` annotation, as its name suggests, gives Dafny an expression
+that decreases with every loop iteration or recursive call. There are two
+conditions that Dafny needs to verify when using a `decreases` expression:
+
+* that the expression actually gets smaller, and
+* that it is bounded.
+
+That is, the expression must strictly decrease in a well-founded ordering
+(cf. [Section 12.7](#sec-well-founded-orders)).
+
+Many times, an integral value (natural or plain integer) is the quantity
+that decreases, but other values can be used as well. In the case of
+integers, the bound is assumed to be zero.
+For each loop iteration the `decreases` expression at the end of the loop
+body must be strictly smaller than its value at the beginning of the loop
+body (after the loop test). For integers, the well-founded relation between
+`x` and `X` is `x < X && 0 <= X`.
+Thus if the `decreases` value (`X`) is negative at the
+loop test, it must exit the loop, since there is no permitted value for
+`x` to have at the end of the loop body.
+
+For example, the following is
+a proper use of `decreases` on a loop:
+
+<!-- %check-verify -->
+```dafny
+method m(n: nat){
+  var i := n;
+  while 0 < i
+    invariant 0 <= i
+    decreases i
+  {
+    i := i - 1;
+  }
+}
+```
+
+Here Dafny has all the ingredients it needs to prove termination. The
+variable `i` becomes smaller each loop iteration, and is bounded below by
+zero. When `i` becomes 0, the lower bound of the well-founded order, control
+flow exits the loop.
+
+This is fine, except the loop is backwards compared to most loops, which
+tend to count up instead of down. In this case, what decreases is not the
+counter itself, but rather the distance between the counter and the upper
+bound. A simple trick for dealing with this situation is given below:
+
+<!-- %check-verify -->
+```dafny
+method m(m: nat, n: int) 
+  requires m <= n 
+{
+  var i := m;
+  while i < n
+    invariant 0 <= i <= n
+    decreases n - i
+  {
+    i := i + 1;
+  }
+}
+```
+
+This is actually Dafny's guess for this situation, as it sees `i < n` and
+assumes that `n - i` is the quantity that decreases. The upper bound of the
+loop invariant implies that `0 <= n – i`, and gives Dafny a lower bound on
+the quantity. This also works when the bound `n` is not constant, such as
+in the binary search algorithm, where two quantities approach each other,
+and neither is fixed.
+
+If the `decreases` clause of a loop specifies `*`, then no
+termination check will be performed. Use of this feature is sound only with
+respect to partial correctness.
+
+### 8.15.3. Loop framing {#sec-loop-framing}
+
+The specification of a loop also includes _framing_, which says what the
+loop modifies. The loop frame includes both local variables and locations
+in the heap.
+
+For local variables, the Dafny verifier performs a syntactic
+scan of the loop body to find every local variable or out-parameter that occurs as a left-hand
+side of an assignment. These variables are called
+_syntactic assignment targets of the loop_, or _syntactic loop targets_ for short.
+Any local variable or out-parameter that is not a syntactic assignment target is known by the
+verifier to remain unchanged by the loop.
+
+The heap may or may not be a syntactic loop target. It is when the loop body
+syntactically contains a statement that can modify a heap location. This
+includes calls to compiled methods, even if such a method has an empty
+`modifies` clause, since a compiled method is always allowed to allocate
+new objects and change their values in the heap.
+
+If the heap is not a syntactic loop target, then the verifier knows the heap
+remains unchanged by the loop. If the heap _is_ a syntactic loop target,
+then the loop's effective `modifies` clause determines what is allowed to be
+modified by iterations of the loop body.
+
+A loop can use `modifies` clauses to declare the effective `modifies` clause
+of the loop. If a loop does not explicitly declare any `modifies` clause, then
+the effective `modifies` clause of the loop is the effective `modifies` clause
+of the most tightly enclosing loop or, if there is no enclosing loop, the
+`modifies` clause of the enclosing method.
+
+In most cases, there is no need to give an explicit `modifies` clause for a
+loop. The one case where it is sometimes needed is if a loop modifies less
+than is allowed by the enclosing method. Here are two simple methods that
+illustrate this case:
+
+<!-- %check-verify Statements.2.expect -->
+```dafny
+class Cell {
+  var data: int
+}
+
+method M0(c: Cell, d: Cell)
+  requires c != d
+  modifies c, d
+  ensures c.data == d.data == 100
+{
+  c.data, d.data := 100, 0;
+  var i := 0;
+  while i < 100
+    invariant d.data == i
+    // Needs "invariant c.data == 100" or "modifies d" to verify
+  {
+    d.data := d.data + 1;
+    i := i + 1;
+  }
+}
+
+method M1(c: Cell)
+  modifies c
+  ensures c.data == 100
+{
+  c.data := 100;
+  var i := 0;
+  while i < 100
+    // Needs "invariant c.data == 100" or "modifies {}" to verify
+  {
+    var tmp := new Cell;
+    tmp.data := i;
+    i := i + 1;
+  }
+}
+```
+
+In `M0`, the effective `modifies` clause of the loop is `modifies c, d`. Therefore,
+the method's postcondition `c.data == 100` is not provable. To remedy the situation,
+the loop needs to be declared either with `invariant c.data == 100` or with
+`modifies d`.
+
+Similarly, the effective `modifies` clause of the loop in `M1` is `modifies c`. Therefore,
+the method's postcondition `c.data == 100` is not provable. To remedy the situation,
+the loop needs to be declared either with `invariant c.data == 100` or with
+`modifies {}`.
+
+When a loop has an explicit `modifies` clause, there is, at the top of
+every iteration, a proof obligation that
+
+* the expressions given in the `modifies` clause are [well-formed](#sec-assertion-batches), and
+* everything indicated in the loop `modifies` clause is allowed to be modified by the
+  (effective `modifies` clause of the) enclosing loop or method.
+
+### 8.15.4. Body-less methods, functions, loops, and aggregate statements {#sec-bodyless-constructs}
+
+Methods (including lemmas), functions, loops, and `forall` statements are ordinarily
+declared with a body, that is, a curly-braces pair that contains (for methods, loops, and `forall`)
+a list of zero-or-more statements or (for a function) an expression. In each case, Dafny syntactically
+allows these constructs to be given without a body (no braces at all). This is to allow programmers to
+temporarily postpone the development of the implementation of the method, function, loop, or
+aggregate statement.
+
+If a method has no body, there is no difference for callers of the method. Callers still reason
+about the call in terms of the method's specification. But without a body, the verifier has
+no method implementation to check against the specification, so the verifier is silently happy.
+The compiler, on the other hand, will complain if it encounters a body-less method, because the
+compiler is supposed to generate code for the method, but it isn't clever enough to do that by
+itself without a given method body. If the method implementation is provided by code written
+outside of Dafny, the method can be marked with an `{:extern}` annotation, in which case the
+compiler will no longer complain about the absence of a method body; the verifier will not 
+object either, even though there is now no proof that the Dafny specifications are satisfied
+by the external implementation.
+
+A lemma is a special kind of (ghost) method. Callers are therefore unaffected by the absence of a body,
+and the verifier is silently happy with not having a proof to check against the lemma specification.
+Despite a lemma being ghost, it is still the compiler that checks for, and complains about,
+body-less lemmas. A body-less lemma is an unproven lemma, which is often known as an _axiom_.
+If you intend to use a lemma as an axiom, omit its body and add the attribute `{:axiom}`, which
+causes the compiler to suppress its complaint about the lack of a body.
+
+Similarly, calls to a body-less function use only the specification of the function. The
+verifier is silently happy, but the compiler complains (whether or not the function is ghost).
+As for methods and lemmas, the `{:extern}` and `{:axiom}` attributes can be used to suppress the
+compiler's complaint.
+
+By supplying a body for a method or function, the verifier will in effect show the feasibility of
+the specification of the method or function. By supplying an `{:extern}` or `{:axiom}` attribute,
+you are taking that responsibility into your own hands. Common mistakes include forgetting to
+provide an appropriate `modifies` or `reads` clause in the specification, or forgetting that
+the results of functions in Dafny (unlike in most other languages) must be deterministic.
+
+Just like methods and functions have two sides, callers and implementations, loops also have
+two sides. One side (analogous to callers) is the context that uses the loop. That context treats
+the loop in the same way, using its specifications, regardless of whether or not the loop has a body. The other side
+is the loop body, that is, the implementation of each loop iteration. The verifier checks
+that the loop body maintains the loop invariant and that the iterations will eventually terminate,
+but if there is no loop body, the verifier is silently happy. This allows you to temporarily
+postpone the authoring of the loop body until after you've made sure that the loop specification
+is what you need in the context of the loop.
+
+There is one thing that works differently for body-less loops than for loops with bodies.
+It is the computation of syntactic loop targets, which become part of the loop frame
+(see [Section 8.15.3](#sec-loop-framing)). For a body-less loop, the local variables
+computed as part of the loop frame are the mutable variables that occur free in the
+loop specification. The heap is considered a part of the loop frame if it is used
+for mutable fields in the loop specification or if the loop has an explicit `modifies` clause.
+The IDE will display the computed loop frame in hover text.
+
+For example, consider
+
+<!-- %check-verify Statements.3.expect -->
+```dafny
+class Cell {
+  var data: int
+  const K: int
+}
+
+method BodylessLoop(n: nat, c: Cell)
+  requires c.K == 8
+  modifies c
+{
+  c.data := 5;
+  var a, b := n, n;
+  for i := 0 to n
+    invariant c.K < 10
+    invariant a <= n
+    invariant c.data < 10
+  assert a == n;
+  assert b == n;
+  assert c.data == 5;
+}
+```
+
+The loop specification mentions local variable `a`, and thus `a` is considered part of
+the loop frame. Since what the loop invariant says about `a` is not strong enough to
+prove the assertion `a == n` that follows the loop, the verifier complains about that
+assertion.
+
+Local variable `b` is not mentioned in the loop specification, and thus `b` is not
+included in the loop frame. Since in-parameter `n` is immutable, it is not included
+in the loop frame, either, despite being mentioned in the loop specification. For
+these reasons, the assertion `b == n` is provable after the loop.
+
+Because the loop specification mentions the mutable field `data`, the heap becomes
+part of the loop frame. Since the loop invariant is not strong enough to prove the
+assertion `c.data == 5` that follows the loop, the verifier complains about that
+assertion. On the other hand, had `c.data < 10` not been mentioned in the loop
+specification, the assertion would be verified, since field `K` is then the only
+field mentioned in the loop specification and `K` is immutable.
+
+Finally, the aggregate statement (`forall`) can also be given without a body. Such
+a statement claims that the given `ensures` clause holds true for all values of
+the bound variables that satisfy the given range constraint. If the statement has
+no body, the program is in effect omitting the proof, much like a body-less lemma
+is omitting the proof of the claim made by the lemma specification. As with the
+other body-less constructs above, the verifier is silently happy with a body-less
+`forall` statement, but the compiler will complain.
+
+## 8.16. Print Statement ([grammar](#g-print-statement)) {#sec-print-statement}
+
+Examples:
+<!-- %no-check -->
+```dafny
+print 0, x, list, array;
+```
+
+The `print` statement is used to print the values of a comma-separated
+list of expressions to the console (standard-out). The generated code uses
+target-language-specific idioms to perform this printing.
+The expressions may of course include strings that are used
+for captions. There is no implicit new line added, so to add a new
+line you must include `"\n"` as part of one of the expressions.
+Dafny automatically creates implementations of methods that convert values to strings
+for all Dafny data types. For example,
+
+<!-- %check-run Statements.4.expect -->
+```dafny
+datatype Tree = Empty | Node(left: Tree, data: int, right: Tree)
+method Main()
+{
+  var x : Tree := Node(Node(Empty, 1, Empty), 2, Empty);
+  print "x=", x, "\n";
+}
+```
+
+produces this output:
+
+```text
+x=Tree.Node(Tree.Node(Tree.Empty, 1, Tree.Empty), 2, Tree.Empty)
+```
+
+Note that Dafny does not have method overriding and there is no mechanism to
+override the built-in value->string conversion.  Nor is there a way to
+explicitly invoke this conversion.
+One can always write an explicit function to convert a data value to a string
+and then call it explicitly in a `print` statement or elsewhere.
+
+By default, Dafny does not keep track of print effects, but this can be changed
+using the `--track-print-effects` command line flag. `print` statements are allowed
+only in non-ghost contexts and not in expressions, with one exception.
+The exception is that a function-by-method may contain `print` statements,
+whose effect may be observed as part of the run-time evaluation of such functions
+(unless `--track-print-effects` is enabled).
+
+The verifier checks that each expression is well-defined, but otherwise 
+ignores the `print` statement.
+
+<a id="print-encoding"></a>
+
+**Note:** `print` writes to standard output.  To improve compatibility with
+native code and external libraries, the process of encoding Dafny strings passed
+to `print` into standard-output byte strings is left to the runtime of the
+language that the Dafny code is compiled to (some language runtimes use UTF-8 in
+all cases; others obey the current locale or console encoding).
+
+In most cases, the standard-output encoding can be set before running the
+compiled program using language-specific flags or environment variables
+(e.g. `-Dfile.encoding=` for Java).  This is in fact how `dafny run` operates:
+it uses language-specific flags and variables to enforce UTF-8 output regardless
+of the target language (but note that the C++ and Go backends currently have
+limited support for UTF-16 surrogates).
+
+## 8.17. Assert statement ([grammar](#g-assert-statement)) {#sec-assert-statement}
+
+Examples:
+<!-- %no-check -->
+```dafny
+assert i > 0;
+assert IsPositive: i > 0;
+assert i > 0 by {
+ ...
+}
+```
+
+`Assert` statements are used to express logical propositions that are
+expected to be true. Dafny will attempt to prove that the assertion
+is true and give an error if the assertion cannot be proven.
+Once the assertion is proved,
+its truth may aid in proving subsequent deductions.
+Thus if Dafny is having a difficult time verifying a method,
+the user may help by inserting assertions that Dafny can prove,
+and whose truth may aid in the larger verification effort,
+much as lemmas might be used in mathematical proofs.
+
+`Assert` statements are ignored by the compiler.
+
+In the `by` form of the `assert` statement, there is an additional block of statements that provide the Dafny verifier with additional proof steps.
+Those statements are often a sequence of [lemmas](#sec-lemmas), [`calc`](#sec-calc-statement) statements, [`reveal`](#sec-reveal-statements) statements or other `assert` statements,
+combined with ghost control flow, ghost variable declarations and ghost update statements of variables declared in the `by` block.
+The intent is that those statements be evaluated in support of proving the `assert` statement.
+For that purpose, they could be simply inserted before the `assert` statement.
+But by using the `by` block, the statements in the block are discarded after the assertion is proved.
+As a result, the statements in the block do not clutter or confuse the solver in performing subsequent
+proofs of assertions later in the program. Furthermore, by isolating the statements in the `by` block,
+their purpose -- to assist in proving the given assertion -- is manifest in the structure of the code.
+
+Examples of this form of assert are given in the section of the [`reveal`](#sec-reveal-statement) statement and in [_Different Styles of Proof_](http://leino.science/papers/krml276.html)
+
+An assert statement may have a label, whose use is explained in [Section 8.20.1](#sec-reveal-assertions).
+
+The attributes recognized for assert statements are discussed in [Section 11.4](#sec-verification-attributes-on-assertions).
+
+Using `...` as the argument of the statement is deprecated.
+
+An assert statement can have [custom error and success messages](#sec-error-attribute).
+
+## 8.18. Assume Statement ([grammar](#g-assume-statement)) {#sec-assume-statement}
+
+Examples:
+<!-- %no-check -->
+```dafny
+assume i > 0;
+assume {:axiom} i > 0 ==> -i < 0;
+```
+
+The `assume` statement lets the user specify a logical proposition
+that Dafny may assume to be true without proof. If in fact the
+proposition is not true this may lead to invalid conclusions.
+
+An `assume` statement would ordinarily be used as part of a larger
+verification effort where verification of some other part of
+the program required the proposition. By using the `assume` statement
+the other verification can proceed. Then when that is completed the
+user would come back and replace the `assume` with `assert`.
+
+To help the user not forget about that last step, a warning is emitted for any assume statement.
+Adding the `{:axiom}` attribute to the assume will suppress the warning,
+indicating the user takes responsibility for being absolutely sure 
+that the proposition is indeed true.
+
+Using `...` as the argument of the statement is deprecated.
+
+## 8.19. Expect Statement ([grammar](#g-expect-statement)) {#sec-expect-statement}
+
+Examples:
+<!-- %no-check -->
+```dafny
+expect i > 0;
+expect i > 0, "i is positive";
+```
+
+The `expect` statement states a boolean expression that is
+(a) assumed to be true by the verifier
+and (b) checked to be true
+at run-time. That is, the compiler inserts into the run-time executable a
+check that the given expression is true; if the expression is false, then
+the execution of the program halts immediately. If a second argument is
+given, it may be a value of any type.
+That value is converted to a string (just like the `print` statement)
+and the string is included
+in the message emitted by the program
+when it halts; otherwise a default message is emitted.
+
+Because the expect expression and optional second argument are compiled, they cannot be ghost expressions.
+
+The `expect` statement behaves like
+`assume` for the verifier, but also inserts a run-time check that the
+assumption is indeed correct (for the test cases used at run-time).
+
+Here are a few use-cases for the `expect` statement.
+
+A) To check the specifications of external methods.
+
+Consider an external method `Random` that takes a `nat` as input
+and returns a `nat` value that is less than the input.
+Such a method could be specified as
+<!-- %no-check -->
+```dafny
+method {:extern} Random(n: nat) returns (r: nat)
+  ensures r < n
+```
+But because there is no body for `Random` (only the external non-dafny implementation),
+it cannot be verified that `Random` actually satisfies this specification.
+
+To mitigate this situation somewhat, we can define a wrapper function, `Random'`,
+that calls `Random` but in which we can put some run-time checks:
+<!-- %check-resolve %options --allow-external-contracts -->
+```dafny
+method {:extern} Random(n: nat) returns (r: nat)
+
+method Random'(n: nat) returns (r: nat)
+  ensures r < n
+{
+  r := Random(n);
+  expect r < n;
+}
+```
+Here we can verify that `Random'` satisfies its own specification,
+relying on the unverified specification of `Random`.
+But we are also checking at run-time that any input-output pairs for `Random`
+encountered during execution
+do satisfy the specification,
+as they are checked by the `expect` statement.
+
+Note, in this example, two problems still remain.
+One problem is that the out-parameter of the extern `Random` has type `nat`,
+but there is no check that the value returned really is non-negative.
+It would be better to declare the out-parameter of `Random` to be `int` and
+to include `0 <= r` in the condition checked by the `expect` statement in `Random'`.
+The other problem is that `Random` surely will need `n` to be strictly positive.
+This can be fixed by adding `requires n != 0` to `Random'` and `Random`.
+
+B) Run-time testing
+
+Verification and run-time testing are complementary
+and both have their role in assuring that software does what is intended.
+Dafny can produce executables
+and these can be instrumented with unit tests.
+Annotating a method with the `{:test}` attribute
+indicates to the compiler
+that it should produce target code
+that is correspondingly annotated to mark the method
+as a unit test (e.g., an XUnit test) in the target language.
+Alternatively, the `dafny test` command will produce a main method
+that invokes all methods with the `{:test}` attribute, and hence does not
+depend on any testing framework in the target language.
+Within such methods one might use `expect` statements (as well as `print` statements)
+to insert checks that the target program is behaving as expected.
+
+C) Debugging
+
+While developing a new program, one work style uses proof attempts and runtime tests in combination.
+If an assert statement does not prove, one might run the program with a corresponding expect statement
+to see if there are some conditions when the assert is not actually true. So one might have
+paired assert/expect statements:
+<!-- %no-check -->
+```dafny
+assert _P_;
+expect _P_;
+```
+Once the program is debugged, both statements can be removed.
+Note that it is important that the `assert` come before the `expect`, because
+by the verifier, the `expect` is interpreted as an `assume`, which would automatically make
+a subsequent `assert` succeed.
+
+D) Compiler tests
+
+The same approach might be taken to assure that compiled code is behaving at run-time consistently with the statically verified code,
+one can again use paired assert/expect statements with the same expression:
+<!-- %no-check -->
+```dafny
+assert _P_;
+expect _P_;
+```
+The verifier will check that _P_ is always true at the given point in a program
+(at the `assert` statement).
+
+At run-time, the compiler will insert checks that the same predicate,
+in the `expect` statement, is true.
+Any difference identifies a compiler bug.
+Again the `expect` must be after the `assert`:
+if the `expect` is first,
+then the verifier will interpret the `expect` like an `assume`,
+in which case the `assert` will be proved trivially
+and potential unsoundness will be hidden.
+
+Using `...` as the argument of the statement is deprecated.
+
+## 8.20. Reveal Statement ([grammar](#g-reveal-statement)) {#sec-reveal-statement}
+
+Examples:
+<!-- %no-check -->
+```dafny
+reveal f(), L;
+```
+
+The `reveal` statement makes available to the solver information that is otherwise not visible, as described in the following subsections.
+
+### 8.20.1. Revealing assertions {#sec-reveal-assertions}
+
+If an assert statement has an expression label, then a proof of that assertion is attempted, but the assertion itself
+is not used subsequently.  For example, consider
+<!-- %check-verify Statements.5.expect -->
+```dafny
+method m(i: int) {
+  assert x: i == 0; // Fails
+  assert i == 0; // Fails also because the label 'x:' hides the first assertion
+}
+```
+The first assertion fails. Without the label `x:`, the second would succeed because after a failing assertion, the 
+assertion is assumed in the context of the rest of the program.  But with the label, the first assertion is hidden from
+the rest of the program. That assertion can be _revealed_ by adding a `reveal` statement:
+
+<!-- %check-verify Statements.6.expect -->
+```dafny
+method m(i: int) {
+  assert x: i == 0; // Fails
+  reveal x;
+  assert i == 0; // Now succeeds
+}
+```
+or
+<!-- %check-verify Statements.7.expect -->
+```dafny
+method m(i: int) {
+  assert x: i == 0; // Fails
+  assert i == 0 by { reveal x; } // Now succeeds
+}
+```
+At the point of the `reveal` statement, the labeled assertion is made visible and can be used in proving the second assertion.
+In this example there is no point to labeling an assertion and then immediately revealing it. More useful are the cases where
+the reveal is in an assert-by block or much later in the method body.
+
+### 8.20.2. Revealing preconditions
+
+In the same way as assertions, preconditions can be labeled.
+Within the body of a method, a precondition is an assumption; if the precondition is labeled then that assumption is not visible in the body of the method.
+A `reveal` statement naming the label of the precondition then makes the assumption visible.
+
+Here is a toy example:
+<!-- %check-verify Statements.8.expect -->
+```dafny
+method m(x: int, y: int) returns (z: int)
+  requires L: 0 < y
+  ensures z == x+y
+  ensures x < z
+{
+  z := x + y;
+}
+```
+The above method will not verify. In particular, the second postcondition cannot be proved.
+However, if we add a `reveal L;` statement in the body of the method, then the precondition is visible 
+and both postconditions can be proved.
+
+One could also use this style:
+<!-- %check-verify -->
+```dafny
+method m(x: int, y: int) returns (z: int)
+  requires L: 0 < y
+  ensures z == x+y
+  ensures x < z
+{
+  z := x + y;
+  assert x < z by { reveal L; }
+}
+```
+
+The reason to possibly hide a precondition is the same as the reason to hide assertions: 
+sometimes less information is better for the solver as it helps the solver focus attention on 
+relevant information.
+
+Section 7 of [http://leino.science/papers/krml276.html](http://leino.science/papers/krml276.html) provides 
+an extended illustration of this technique to make all the dependencies of an `assert` explicit.
+
+### 8.20.3. Hiding and revealing function bodies {#hide-statement}
+
+By default, function bodies are revealed and available for constructing proofs of assertions that use those functions.
+However, if a function body is not necessary for a proof, the runtime of the proof can be improved by hiding that body.
+To do this, use the hide statement. Here's an example:
+
+<!-- %check-verify %options --isolate-assertions --type-system-refresh -->
+```dafny
+// We are using the options --isolate-assertions and --type-system-refresh
+method Outer(x: int)
+  requires ComplicatedBody(x) 
+{
+  hide ComplicatedBody; // This hides the body of ComplicatedBody for the remainder of the method.
+  
+  // The body of ComplicatedBody is not needed to prove the requires of Inner
+  var y := Inner(x);
+  
+  // We reveal ComplicatedBody inside the following expression, to prove that we are not dividing by zero
+  var z := (reveal ComplicatedBody; 10 / x);
+}
+
+method Inner(x: int) returns (r: int)
+  requires ComplicatedBody(x)
+
+predicate ComplicatedBody(x: int) {
+  x != 0 && true // pretend true is complicated 
+}
+```
+
+Here is a larger example that shows the rules for hide and reveal statements when used on functions:
+
+<!-- %check-verify Statements.8b.expect %options --isolate-assertions --type-system-refresh -->
+```dafny
+// We are using the options --isolate-assertions and --type-system-refresh
+predicate P() { true }
+predicate Q(x: bool) requires x
+
+method Foo() {
+  var q1 := Q(hide P; P()); // error, precondition not satisfied
+  var q2 := Q(hide P; reveal P; P()); // no error
+  
+  hide *;
+  
+  var q3 := Q(P()); // error, precondition not satisfied
+  var q4 := Q(reveal P; P()); // no error
+  
+  if (*) {
+    reveal P;
+    assert P();
+  } else {
+    assert P(); // error
+  }
+  reveal P;
+  if (*) {
+    assert P();
+  } else {
+    hide *;
+    assert P(); // error
+  }
+  
+  hide *;
+  if (*) {
+    reveal P;
+  } else {
+    reveal P;
+  }
+  assert P(); // error, since the previous two reveal statements are out of scope
+}
+```
+
+### 8.20.4. Revealing constants
+
+A `const` declaration can be `opaque`. If so the value of the constant is not known in reasoning about its uses, just its type and the
+fact that the value does not change. The constant's identifier can be listed in a reveal statement. In that case, like other revealed items,
+the value of the constant will be known to the reasoning engine until the end of the block containing the reveal statement.
+
+A label or locally declared name in a method body will shadow an opaque constant with the same name outside the method body,
+making it unable to be revealed without using a qualified name.
+
+## 8.21. Forall Statement ([grammar](#g-forall-statement)) {#sec-forall-statement}
+
+Examples:
+<!-- %no-check -->
+```dafny
+forall i | 0 <= i < a.Length {
+  a[i] := 0;
+}
+forall i | 0 <= i < 100 {
+  P(i); // P a lemma
+}
+forall i | 0 <= i < 100
+  ensures i < 1000 {
+} 
+```
+
+The `forall` statement executes the body
+simultaneously for all quantified values in the specified quantifier domain.
+You can find more details about [quantifier domains here](#sec-quantifier-domains).
+
+There are several variant uses of the `forall`
+statement and there are a number of restrictions.
+A `forall` statement can be classified as one of the following:
+
+* _Assign_ - the `forall` statement is used for simultaneous assignment.
+The target must be an array element or an object field.
+* _Call_ - The body consists of a single call to a ghost method without side effects
+* _Proof_ - The `forall` has `ensure` expressions which are effectively
+quantified or proved by the body (if present).
+
+An _assign_ `forall` statement performs simultaneous assignment.
+The left-hand sides must denote different l-values, unless the
+corresponding right-hand sides also coincide.
+
+The following is an excerpt of an example given by Leino in
+[_Developing Verified Programs with Dafny_][leino233].
+When the buffer holding the queue needs to be resized,
+the `forall` statement is used to simultaneously copy the old contents
+into the new buffer.
+
+[leino233]: http://research.microsoft.com/en-us/um/people/leino/papers/krml233.pdf
+
+<!-- %check-verify %options --relax-definite-assignment -->
+```dafny
+class SimpleQueue<Data(0)>
+{
+  ghost var Contents: seq<Data>
+  var a: array<Data>  // Buffer holding contents of queue.
+  var m: int          // Index head of queue.
+  var n: int          // Index just past end of queue
+   
+  method Enqueue(d: Data)
+    requires a.Length > 0
+    requires 0 <= m <= n <= a.Length
+    modifies this, this.a
+    ensures Contents == old(Contents) + [d]
+  {
+    if n == a.Length {
+      var b := a;
+      if m == 0 { b := new Data[2 * a.Length]; }
+      forall i | 0 <= i < n - m {
+      	b[i] := a[m + i];
+      }
+      a, m, n := b, 0, n - m;
+    }
+    a[n], n, Contents := d, n + 1, Contents + [d];
+  }
+}
+```
+
+Here is an example of a _call_ `forall` statement and the
+callee. This is contained in the `CloudMake-ConsistentBuilds.dfy`
+test in the Dafny repository.
+
+<!-- %no-check Too many undeclared symbols -->
+```dafny
+method m() {
+  forall cmd', deps', e' |
+       Hash(Loc(cmd', deps', e')) == Hash(Loc(cmd, deps, e)) {
+    HashProperty(cmd', deps', e', cmd, deps, e);
+  }
+}
+
+lemma HashProperty(cmd: Expression, deps: Expression, ext: string,
+    cmd': Expression, deps': Expression, ext': string)
+  requires Hash(Loc(cmd, deps, ext)) == Hash(Loc(cmd', deps', ext'))
+  ensures cmd == cmd' && deps == deps' && ext == ext'
+```
+
+The following example of a _proof_ `forall` statement comes from the same file:
+
+<!-- %no-check Too many undeclared symbols -->
+```dafny
+forall p | p in DomSt(stCombinedC.st) && p in DomSt(stExecC.st)
+  ensures GetSt(p, stCombinedC.st) == GetSt(p, stExecC.st)
+{
+  assert DomSt(stCombinedC.st) <= DomSt(stExecC.st);
+  assert stCombinedC.st == Restrict(DomSt(stCombinedC.st),
+                                               stExecC.st);
+}
+```
+
+More generally, the statement
+<!-- %no-check -->
+```dafny
+forall x | P(x) { Lemma(x); }
+```
+is used to invoke `Lemma(x)` on all `x` for which `P(x)` holds. If
+`Lemma(x)` ensures `Q(x)`, then the forall statement establishes
+<!-- %no-check -->
+```dafny
+forall x :: P(x) ==> Q(x).
+```
+
+The `forall` statement is also used extensively in the de-sugared forms of
+co-predicates and co-lemmas. See [datatypes](#sec-coinductive-datatypes).
+
+## 8.22. Modify Statement ([grammar](#g-modify-statement)) {#sec-modify-statement}
+
+The effect of the `modify` statement
+is to say that some undetermined
+modifications have been made to any or all of the memory
+locations specified by the given [frame expressions](#sec-frame-expression).
+In the following example, a value is assigned to field `x`
+followed by a `modify` statement that may modify any field
+in the object. After that we can no longer prove that the field
+`x` still has the value we assigned to it. The now unknown values
+still are values of their type (e.g. of the subset type or newtype).
+
+<!-- %check-verify Statements.10.expect -->
+```dafny
+class MyClass {
+  var x: int
+  method N()
+    modifies this
+  {
+    x := 18;
+    modify this;
+    assert x == 18;  // error: cannot conclude this here
+  }
+}
+```
+
+Using `...` as the argument of the statement is deprecated.
+
+The form of the `modify` statement which includes a block
+statement is also deprecated.
+
+The [havoc assignment](#sec-havoc-statement) also sets a variable or field
+to some arbitrary (but type-consistent) value. The difference is that
+the havoc assignment acts on one LHS variable or memory location;
+the modify statement acts on all the fields of an object.
+
+## 8.23. Calc Statement ([grammar](#g-calc-statement)) {#sec-calc-statement}
+
+See also: [Verified Calculations](http://research.microsoft.com/en-us/um/people/leino/papers/krml231.pdf).
+
+The `calc` statement supports _calculational proofs_ using a language
+feature called _program-oriented calculations_ (poC). This feature was
+introduced and explained in the [_Verified Calculations_] paper by Leino
+and Polikarpova[@LEINO:Dafny:Calc]. Please see that paper for a more
+complete explanation of the `calc` statement. We here mention only the
+highlights.
+
+Calculational proofs are proofs by stepwise formula manipulation
+as is taught in elementary algebra. The typical example is to prove
+an equality by starting with a left-hand-side and through a series of
+transformations morph it into the desired right-hand-side.
+
+Non-syntactic rules further restrict hints to only ghost and side-effect
+free statements, as well as imposing a constraint that only
+chain-compatible operators can be used together in a calculation. The
+notion of chain-compatibility is quite intuitive for the operators
+supported by poC; for example, it is clear that "<" and ">" cannot be used within
+the same calculation, as there would be no relation to conclude between
+the first and the last line. See the [paper][Verified Calculations] for
+a more formal treatment of chain-compatibility.
+
+Note that we allow a single occurrence of the intransitive operator "!=" to
+appear in a chain of equalities (that is, "!=" is chain-compatible with
+equality but not with any other operator, including itself). Calculations
+with fewer than two lines are allowed, but have no effect. If a step
+operator is omitted, it defaults to the calculation-wide operator,
+defined after the `calc` keyword. If that operator is omitted, it defaults
+to equality.
+
+Here is an example using `calc` statements to prove an elementary
+algebraic identity. As it turns out, Dafny is able to prove this without
+the `calc` statements, but the example illustrates the syntax.
+
+<!-- %check-verify -->
+```dafny
+lemma docalc(x : int, y: int)
+  ensures (x + y) * (x + y) == x * x + 2 * x * y + y * y
+{
+  calc {
+    (x + y) * (x + y);
+    ==
+    // distributive law: (a + b) * c == a * c + b * c
+    x * (x + y) + y * (x + y);
+    ==
+    // distributive law: a * (b + c) == a * b + a * c
+    x * x + x * y + y * x + y * y;
+    ==
+    calc {
+	    y * x;
+      ==
+	    x * y;
+    }
+    x * x + x * y + x * y + y * y;
+    ==
+    calc {
+      x * y + x * y;
+      ==
+      // a = 1 * a
+      1 * x * y + 1 * x * y;
+      ==
+      // Distributive law
+      (1 + 1) * x * y;
+      ==
+      2 * x * y;
+    }
+    x * x + 2 * x * y + y * y;
+  }
+}
+```
+
+Here we started with `(x + y) * (x + y)` as the left-hand-side
+expressions and gradually transformed it using distributive,
+commutative and other laws into the desired right-hand-side.
+
+The justification for the steps are given as comments or as
+nested `calc` statements that prove equality of some sub-parts
+of the expression.
+
+The `==` operators show the relation between
+the previous expression and the next. Because of the transitivity of
+equality we can then conclude that the original left-hand-side is
+equal to the final expression.
+
+We can avoid having to supply the relational operator between
+every pair of expressions by giving a default operator between
+the `calc` keyword and the opening brace as shown in this abbreviated
+version of the above calc statement:
+
+<!-- %check-verify -->
+```dafny
+lemma docalc(x : int, y: int)
+  ensures (x + y) * (x + y) == x * x + 2 * x * y + y * y
+{
+  calc == {
+    (x + y) * (x + y);
+    x * (x + y) + y * (x + y);
+    x * x + x * y + y * x + y * y;
+    x * x + x * y + x * y + y * y;
+    x * x + 2 * x * y + y * y;
+  }
+}
+```
+
+And since equality is the default operator, we could have omitted
+it after the `calc` keyword.
+The purpose of the block statements or the `calc` statements between
+the expressions is to provide hints to aid Dafny in proving that
+step. As shown in the example, comments can also be used to aid
+the human reader in cases where Dafny can prove the step automatically.
+
+## 8.24. Opaque Block ([grammar](#g-opaque-block)) {#sec-opaque-block}
+As a Dafny sequence of statements grows in length, it can become harder to verify later statements in the block. With each statement, new information can become available, and with each modification of the heap, it becomes more expensive to access information from an older heap version. To reduce the verification complexity of long lists of statements, Dafny users can extract part of this block into a separate method or lemma. However, doing so introduces some boilerplate, which is where opaque blocks come in. They achieve a similar effect on verification performance as extracting code, but without the boilerplate. 
+
+An opaque block is similar to a block statement: it contains a sequence of zero or more statements, enclosed by curly braces. However, an opaque block is preceded by the keyword 'opaque', and may define ensures and modifies clauses before the curly braces. Anything that happens inside the block is invisible to the statements that come after it, unless it is specified by the ensures clause. Here is an example:
+
+<!-- %check-verify Statements.opaqueBlock.expect -->
+```dafny
+method OpaqueBlockUser() returns (x: int)
+  ensures x > 4 
+{
+  x := 1;
+  var y := 1;
+  opaque
+    ensures x > 3 
+  {
+    x := x + y;
+    x := x + 2;
+  }
+  assert x == 4; // error
+  x := x + 1;
+}
+```
+
+By default, the modifies clause of an opaque block is the same as that of the enclosing context. Opaque blocks may be nested.
diff --git a/v4.10.0/DafnyRef/Statements.opaqueBlock.expect b/v4.10.0/DafnyRef/Statements.opaqueBlock.expect
new file mode 100644
index 0000000..04352d3
--- /dev/null
+++ b/v4.10.0/DafnyRef/Statements.opaqueBlock.expect
@@ -0,0 +1,3 @@
+text.dfy(12,2): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/SyntaxTests.md b/v4.10.0/DafnyRef/SyntaxTests.md
new file mode 100644
index 0000000..e3dc8d9
--- /dev/null
+++ b/v4.10.0/DafnyRef/SyntaxTests.md
@@ -0,0 +1,99 @@
+
+<!--PDF NEWPAGE-->
+# 18. Testing syntax rendering
+
+Sample math B: $a \to b$ or
+<p style="text-align: center;">$$ a \to \pi $$</p>
+ or \( a \top \) or \[ a \to \pi \]
+
+Colors
+<!-- %no-check -->
+```dafny
+integer literal:  10
+hex literal:      0xDEAD
+real literal:     1.1
+boolean literal:  true false
+char literal:     'c'
+string literal:   "abc"
+verbatim string:  @"abc"
+ident:            ijk
+type:             int
+generic type:     map<int,T>
+operator:         <=
+punctuation:      { }
+keyword:          while
+spec:             requires
+comment:          // comment
+attribute         {: name }
+error:            $
+```
+
+Syntax color tests:
+
+<!-- %no-check -->
+```dafny
+integer: 0 00 20 01 0_1
+float:   .0 1.0 1. 0_1.1_0
+bad:    0_
+hex:    0x10_abcdefABCDEF
+string:   "string \n \t \r \0" "a\"b" "'" "\'" ""
+string:   "!@#$%^&*()_-+={}[]|:;\\<>,.?/~`"
+string:   "\u1234 "
+string:   "     " : "\0\n\r\t\'\"\\"
+notstring: "abcde
+notstring: "\u123 " : "x\Zz" : "x\ux"
+vstring:  @"" @"a" @"""" @"'\" @"\u"
+vstring:  @"xx""y y""zz "
+vstring:  @" " @"       "
+vstring:  @"x
+x"
+bad:      @!
+char:    'a' '\n' '\'' '"' '\"' ' ' '\\'
+char:    '\0' '\r' '\t'  '\u1234'
+badchar:  $ `
+ids:  '\u123'   '\Z'  '\u'  '\u2222Z'
+ids:  '\u123ZZZ'     '\u2222Z'
+ids: 'a : a' : 'ab' :  'a'b' : 'a''b'
+ids:  a_b _ab ab? _0
+id-label:  a@label
+literal:  true false null
+op:      - ! ~ x  -!~x
+op:      a + b - c * d / e % f a+b-c*d/e%f
+op:      <= >= < > == != b&&c || ==> <==> <==
+op:      !=# !! in !in
+op:      !in∆  !iné
+not op:  !inx
+punc:    . , :: | :| := ( ) [ ] { }
+types:   int real string char bool nat ORDINAL
+types:   object object?
+types:   bv1 bv10 bv0
+types:   array array2 array20 array10
+types:   array? array2? array20? array10?
+ids:     array1 array0 array02 bv02 bv_1
+ids:     intx natx int0 int_ int? bv1_ bv1x array2x
+types:   seq<int>  set < bool >
+types:   map<bool,bool>  imap < bool , bool >
+types:   seq<Node> seq< Node >
+types:   seq<set< real> >
+types:   map<set<int>,seq<bool>>
+types:   G<A,int> G<G<A>,G<bool>>
+types:   seq map imap set iset multiset
+ids:     seqx mapx
+no arg:  seq < >  seq < , >  seq <bool , , bool >  seq<bool,>
+keywords: if while assert assume
+spec:    requires  reads modifies
+attribute:  {: MyAttribute "asd", 34 }
+attribute:  {: MyAttribute }
+comment:  // comment
+comment:  /* comment */ after
+comment:  // comment /* asd */ dfg
+comment:  /* comment /* embedded */ tail */ after
+comment:  /* comment // embedded */ after
+comment: /* comment
+   /* inner comment
+   */
+   outer comment
+   */ after
+   more after
+```
+
diff --git a/v4.10.0/DafnyRef/Topics.1.expect b/v4.10.0/DafnyRef/Topics.1.expect
new file mode 100644
index 0000000..922f938
--- /dev/null
+++ b/v4.10.0/DafnyRef/Topics.1.expect
@@ -0,0 +1,3 @@
+text.dfy(4,33): Error: type of the receiver is not fully determined at this program point
+text.dfy(4,50): Error: type of the receiver is not fully determined at this program point
+2 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Topics.2.expect b/v4.10.0/DafnyRef/Topics.2.expect
new file mode 100644
index 0000000..1c2f3c7
--- /dev/null
+++ b/v4.10.0/DafnyRef/Topics.2.expect
@@ -0,0 +1,2 @@
+text.dfy(5,10): Error: the type of this variable is underspecified
+1 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Topics.3.expect b/v4.10.0/DafnyRef/Topics.3.expect
new file mode 100644
index 0000000..66c482d
--- /dev/null
+++ b/v4.10.0/DafnyRef/Topics.3.expect
@@ -0,0 +1,3 @@
+text.dfy(6,10): Error: the type of this variable is underspecified
+text.dfy(6,23): Error: type parameter 'T' (inferred to be '?') in the function call to 'EmptySet' could not be determined
+2 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Topics.md b/v4.10.0/DafnyRef/Topics.md
new file mode 100644
index 0000000..2dda40f
--- /dev/null
+++ b/v4.10.0/DafnyRef/Topics.md
@@ -0,0 +1,1174 @@
+# 12. Advanced Topics {#sec-advanced-topics}
+
+## 12.1. Type Parameter Completion {#sec-type-parameter-completion}
+
+Generic types, like `A<T,U>`, consist of a _type constructor_, here `A`, and type parameters, here `T` and `U`.
+Type constructors are not first-class entities in Dafny, they are always used syntactically to construct
+type names; to do so, they must have the requisite number of type parameters, which must be either concrete types, type parameters, or 
+a generic type instance.
+
+However, those type parameters do not always have to be explicit; Dafny can often infer what they ought to be.
+For example, here is a fully parameterized function signature:
+<!-- %check-resolve -->
+```dafny
+type List<T>
+function Elements<T>(list: List<T>): set<T>
+```
+However, Dafny also accepts
+<!-- %check-resolve -->
+```dafny
+type List<T>
+function Elements(list: List): set
+```
+In the latter case, Dafny knows that the already defined types `set` and `List` each take one type parameter
+so it fills in `<T>` (using some unique type parameter name) and then determines that the function itself needs
+a type parameter `<T>` as well.
+
+Dafny also accepts
+<!-- %check-resolve -->
+```dafny
+type List<T>
+function Elements<T>(list: List): set
+```
+In this case, the function already has a type parameter list. `List` and `set` are each known to need type parameters,
+so Dafny takes the first `n` parameters from the function signature and applies them to `List` and `set`, where `n` (here `1`) is the
+number needed by those type constructors.
+ 
+It never hurts to simply write in all the type parameters, but that can reduce readability.
+Omitting them in cases where Dafny can intuit them makes a more compact definition.
+
+This process is described in more detail with more examples in this paper:
+[http://leino.science/papers/krml270.html](http://leino.science/papers/krml270.html).
+
+## 12.2. Type Inference {#sec-type-inference}
+
+Signatures of methods, functions, fields (except `const` fields with a
+RHS), and datatype constructors have to declare the types of their
+parameters. In other places, types can be omitted, in which case
+Dafny attempts to infer them. Type inference is "best effort" and may
+fail. If it fails to infer a type, the remedy is simply for the
+program to give the type explicitly.
+
+Despite being just "best effort", the types of most local variables,
+bound variables, and the type parameters of calls are usually inferred
+without the need for a program to give the types explicitly. Here are
+some notes about type inference:
+
+* With some exceptions, type inference is performed across a whole
+  method body. In some cases, the information needed to infer a local
+  variable's type may be found after the variable has been declared
+  and used. For example, the nonsensical program
+
+<!-- %check-resolve -->
+    ```dafny
+    method M(n: nat) returns (y: int)
+    {
+      var a, b;
+      for i := 0 to n {
+        if i % 2 == 0 {
+          a := a + b;
+        }
+      }
+      y := a;
+    }
+    ```
+
+  uses `a` and `b` after their declarations. Still, their types are
+  inferred to be `int`, because of the presence of the assignment `y := a;`.
+
+  A more useful example is this:
+
+<!-- %check-verify -->
+    ```dafny
+    class Cell {
+      var data: int
+    }
+    
+    method LastFive(a: array<int>) returns (r: int)
+    {
+      var u := null;
+      for i := 0 to a.Length {
+        if a[i] == 5 {
+          u := new Cell;
+          u.data := i;
+        }
+      }
+      r := if u == null then a.Length else u.data;
+    }
+    ```
+
+  Here, using only the assignment `u := null;` to infer the type of
+  `u` would not be helpful. But Dafny looks past the initial
+  assignment and infers the type of `u` to be `Cell?`.
+
+* The primary example where type inference does not inspect the entire
+  context before giving up on inference is when there is a member
+  lookup. For example,
+
+<!-- %check-resolve Topics.1.expect -->
+    ```dafny
+    datatype List<T> = Nil | Cons(T, List<T>)
+
+    method Tutone() {
+      assert forall pair :: pair.0 == 867 && pair.1 == 5309 ==> pair == (867, 5309); // error: members .0 and .1 not found
+      assert forall pair: (int, int) :: pair.0 == 867 && pair.1 == 5309 ==> pair == (867, 5309);
+    }
+    ```
+
+  In the first quantifier, type inference fails to infer the type of
+  `pair` before it tries to look up the members `.0` and `.1`, which
+  results in a "type of the receiver not fully determined" error. The
+  remedy is to provide the type of `pair` explicitly, as is done in the
+  second quantifier.
+
+  (In the future, Dafny may do more type inference before giving up on the member lookup.)
+
+* If type parameters cannot be inferred, then they can be given
+  explicitly in angle brackets. For example, in
+
+<!-- %check-resolve Topics.2.expect -->
+    ```dafny
+    datatype Option<T> = None | Some(T)
+    
+    method M() {
+      var a: Option<int> := None;
+      var b := None; // error: type is underspecified
+      var c := Option<int>.None;
+      var d := None;
+      d := Some(400);
+    }
+    ```
+
+  the type of `b` cannot be inferred, because it is underspecified.
+  However, the types of `c` and `d` are inferred to be `Option<int>`.
+
+  Here is another example:
+
+<!-- %check-resolve Topics.3.expect -->
+    ```dafny
+    function EmptySet<T>(): set<T> {
+      {}
+    }
+
+    method M() {
+      var a := EmptySet(); // error: type is underspecified
+      var b := EmptySet();
+      b := b + {2, 3, 5};
+      var c := EmptySet<int>();
+    }
+    ```
+
+  The type instantiation in the initial assignment to `a` cannot
+  be inferred, because it is underspecified. However, the type
+  instantiation in the initial assignment to `b` is inferred to
+  be `int`, and the types of `b` and `c` are inferred to be
+  `set<int>`.
+
+* Even the element type of `new` is optional, if it can be inferred. For example, in
+
+<!-- %check-resolve -->
+    ```dafny
+    method NewArrays()
+    {
+      var a := new int[3];
+      var b: array<int> := new [3];
+      var c := new [3];
+      c[0] := 200;
+      var d := new [3] [200, 800, 77];
+      var e := new [] [200, 800, 77];
+      var f := new [3](_ => 990);
+    }
+    ```
+
+  the omitted types of local variables are all inferred as
+  `array<int>` and the omitted element type of each `new` is inferred
+  to be `int`.
+
+* In the absence of any other information, integer-looking literals
+  (like `5` and `7`) are inferred to have type `int` (and not, say,
+  `bv128` or `ORDINAL`).
+
+* Many of the types inferred can be inspected in the IDE.
+
+## 12.3. Ghost Inference {#sec-ghost-inference}
+
+After[^why-after-type-inference] [type inference](#sec-type-inference), Dafny revisits the program
+and makes a final decision about which statements are to be compiled,
+and which statements are ghost.
+The ghost statements form what is called the _ghost context_ of expressions.
+
+[^why-after-type-inference]: Ghost inference has to be performed after type inference, at least because it is not possible to determine if a member access `a.b` refers to a ghost variable until the type of `a` is determined.
+
+These statements are determined to be ghost:
+
+- [`assert`](#sec-assert-statement), [`assume`](#sec-assume-statement), [`reveal`](#sec-reveal-statement), and [`calc`](#sec-calc-statement) statements.
+- The body of the `by` of an [`assert`](#sec-assert-statement) statement.
+- Calls to ghost methods, including [lemmas](#sec-lemmas).
+- [`if`](#sec-if-statement), [`match`](#sec-match-statement), and [`while`](#sec-while-statement) statements with condition expressions or alternatives containing ghost expressions. Their bodies are also ghost.
+- [`for`](#sec-for-statement) loops whose start expression contains ghost expressions.
+- [Variable declarations](#sec-variable-declaration-statement) if they are explicitly ghost or if their respective right-hand side is a ghost expression.
+- [Assignments or update statement](#sec-update-and-call-statement) if all updated variables are ghost.
+- [`forall`](#sec-forall-statement) statements, unless there is exactly one assignment to a non-ghost array in its body.
+
+These statements always non-ghost:
+
+- [`expect`](#sec-expect-statement) statements.
+- [`print`](#sec-print-statement) statements.
+
+The following expressions are ghost, which is used in some of the tests above:
+
+- All [specification expressions](#sec-list-of-specification-expressions)
+- All calls to functions and predicates marked as `ghost`
+- All variables, [constants](#sec-constant-field-declaration) and [fields](#sec-field-declaration) declared using the `ghost` keyword
+
+Note that inferring ghostness can uncover other errors, such as updating non-ghost variables in ghost contexts.
+For example, if `f` is a ghost function, in the presence of the following code:
+
+<!-- %no-check -->
+```dafny
+var x := 1;
+if(f(x)) {
+  x := 2;
+}
+```
+
+Dafny will infer that the entire `if` is ghost because the condition uses a ghost function,
+and will then raise the error that it's not possible to update the non-ghost variable `x` in a ghost context.
+
+
+## 12.4. Well-founded Functions and Extreme Predicates {#sec-extreme}
+
+Recursive functions are a core part of computer science and mathematics.
+Roughly speaking, when the definition of such a function spells out a
+terminating computation from given arguments, we may refer to
+it as a _well-founded function_.  For example, the common factorial and
+Fibonacci functions are well-founded functions.
+
+There are also other ways to define functions.  An important case
+regards the definition of a boolean function as an extreme solution
+(that is, a least or greatest solution) to some equation.  For
+computer scientists with interests in logic or programming languages,
+these _extreme predicates_ are important because they describe the
+judgments that can be justified by a given set of inference rules
+(see, e.g., [@CamilleriMelham:InductiveRelations;
+@Winskel:FormalSemantics;
+  @LeroyGrall:CoinductiveBigStep; @Pierce:SoftwareFoundations;
+  @NipkowKlein:ConcreteSemantics]).
+
+To benefit from machine-assisted reasoning, it is necessary not just
+to understand extreme predicates but also to have techniques for
+proving theorems about them.  A foundation for this reasoning was
+developed by Paulin-Mohring [@PaulinMohring:InductiveCoq] and is the
+basis of the constructive logic supported by Coq [@Coq:book] as well
+as other proof assistants [@BoveDybjerNorell:BriefAgda;
+@SwamyEtAl:Fstar2011].  Essentially, the idea is to represent the
+knowledge that an extreme predicate holds by the proof term by which
+this knowledge was derived.  For a predicate defined as the least
+solution, such proof terms are values of an inductive datatype (that
+is, finite proof trees), and for the greatest solution, a coinductive
+datatype (that is, possibly infinite proof trees).  This means that
+one can use induction and coinduction when reasoning about these proof
+trees.  These extreme predicates are known as,
+respectively, _least predicates_ and _greatest predicates_.
+Support for extreme predicates is also
+available in the proof assistants Isabelle [@Paulson:CADE1994] and HOL
+[@Harrison:InductiveDefs].
+
+Dafny supports both well-founded functions and extreme predicates.
+This section describes the difference in general
+terms, and then describes novel syntactic support in Dafny for
+defining and proving lemmas with extreme predicates.  Although Dafny's
+verifier has at its core a first-order SMT solver, Dafny's logical
+encoding makes it possible to reason about fixpoints in an automated
+way.
+
+The encoding for greatest predicates in Dafny was described previously
+[@LeinoMoskal:Coinduction] and is here described in [the section about datatypes](#sec-coinductive-datatypes).
+
+### 12.4.1. Function Definitions
+
+To define a function $f \colon X \to Y$ in terms of itself, one can
+write a general equation like
+
+<p style="text-align: center;" id="eq-general">
+$$f = \mathcal{F}(f)$$
+</p>
+
+where $\mathcal{F}$ is a non-recursive function of type
+$(X \to Y) \to X \to Y$.
+Because it takes a function as an argument,
+$\mathcal{F}$
+is referred to as a _functor_ (or _functional_, but not to be
+confused by the category-theory notion of a functor).
+Throughout, assume that
+$\mathcal{F}(f)$
+by itself is well defined,
+for example that it does not divide by zero.  Also assume that
+$f$
+occurs
+only in fully applied calls in
+$\mathcal{F}(f)$;
+ eta expansion can be applied to
+ensure this.  If
+$f$
+is a `boolean` function, that is, if
+$Y$
+is
+the type of booleans, then 
+$f$ is called
+a _predicate_.
+
+For example, the common Fibonacci function over the
+natural numbers can be defined by the equation
+<p style="text-align: center;">
+$$
+\mathit{fib} = \lambda n \bullet\: \mathbf{if}\:n < 2 \:\mathbf{then}\: n \:\mathbf{else}\: \mathit{fib}(n-2) + \mathit{fib}(n-1)
+$$
+</p>
+
+With the understanding that the argument $n$ is universally
+quantified, we can write this equation equivalently as
+
+<p style="text-align: center;" id="eq-fib">
+$$
+\mathit{fib}(n) = \mathbf{if}\:n < 2\:\mathbf{then}\:n\:\mathbf{else}\:\mathit{fib}(n-2)%2B\mathit{fib}(n-1)
+$$
+</p>
+
+
+The fact that the function being defined occurs on both sides of the equation
+causes concern that we might not be defining the function properly, leading to a
+logical inconsistency.  In general, there
+could be many solutions to an equation like [the general equation](#eq-general) or there could be none.
+Let's consider two ways to make sure we're defining the function uniquely.
+
+#### 12.4.1.1. Well-founded Functions
+
+A standard way to ensure that [the general equation](#eq-general) has a unique solution in $f$ is
+to make sure the recursion is well-founded, which roughly means that the
+recursion terminates.  This is done by introducing any well-founded
+relation $\ll$ on the domain of $f$ and making sure that the argument to each recursive
+call goes down in this ordering.  More precisely, if we formulate [the general equation](#eq-general) as
+<p style="text-align: center;">
+$$
+f(x) = \mathcal{F}{'}(f)
+$$
+</p>
+
+then we want to check $E \ll x$ for each call $f(E)$ in $f(x) = \mathcal{F}'(f)$.
+When a function
+definition satisfies  this _decrement condition_, then the function is said to be
+_well-founded_.
+
+For example, to check the decrement condition for $\mathit{fib}$
+in [the fib equation](#eq-fib), we can pick $\ll$
+to be the arithmetic less-than relation on natural numbers and check the
+following, for any $n$:
+<p style="text-align: center;"> $$ 2 \leq n \;\Longrightarrow\; n-2 \ll n \;\wedge\; n-1 \ll n $$
+</p>
+
+Note that we are entitled to use the antecedent
+$2 \leq n$ because that is the
+condition under which the else branch in [the fib equation](#eq-fib) is evaluated.
+
+A well-founded function is often thought of as "terminating" in the sense
+that the recursive _depth_ in evaluating $f$
+on any given argument is finite.  That is, there are no infinite descending chains
+of recursive calls.  However, the evaluation of $f$ on a given argument
+may fail to terminate, because its _width_ may be infinite.  For example, let $P$
+be some predicate defined on the ordinals and let $\mathit{P}_\downarrow$ be a predicate on the
+ordinals defined by the following equation:
+
+<p style="text-align: center;">
+$\mathit{P}_\downarrow = P(o) \;\wedge\; \forall p \bullet\; p \ll o \;\Longrightarrow\; \mathit{P}_\downarrow(p)$
+</p>
+
+
+With $\ll$ as the usual ordering on ordinals, this equation satisfies the decrement
+condition, but evaluating $\mathit{P}\_\downarrow(\omega)$ would require evaluating
+$\mathit{P}\_\downarrow(n)$ for every natural number $n$.  However, what we are concerned
+about here is to avoid mathematical inconsistencies, and that is
+indeed a consequence of the decrement condition.
+
+#### 12.4.1.2. Example with Well-founded Functions {#sec-fib-example}
+
+So that we can later see how inductive proofs are done in Dafny, let's prove that
+for any $n$, $\mathit{fib}(n)$ is even iff $n$ is a multiple of $3$.
+We split our task into
+two cases.  If $n < 2$, then the property follows directly from the definition
+of $\mathit{fib}$.  Otherwise, note that exactly one of the three numbers $n-2$, $n-1$, and $n$
+is a multiple of 3.  If $n$ is the multiple of 3, then by invoking the
+induction hypothesis on $n-2$
+and $n-1$, we obtain that $\mathit{fib}(n-2) + \mathit{fib}(n-1)$ is the sum of two odd numbers,
+which is even.  If $n-2$ or $n-1$ is a multiple of 3, then by invoking the induction
+hypothesis on $n-2$ and $n-1$, we obtain that $\mathit{fib}(n-2) + \mathit{fib}(n-1)$ is the sum of an
+even number and an odd number, which is odd.  In this proof, we invoked the induction
+hypothesis on $n-2$ and on $n-1$.  This is allowed, because both are smaller than
+$n$, and hence the invocations go down in the well-founded ordering on natural numbers.
+
+#### 12.4.1.3. Extreme Solutions
+
+We don't need to exclude the possibility of [the general equation](#eq-general) having multiple
+solutions---instead, we can just be clear about which one of them we want.
+Let's explore this, after a smidgen of lattice theory.
+
+For any complete lattice $(Y,\leq)$ and any set $X$, we can by _pointwise extension_ define
+a complete lattice $(X \to Y, \dot{\Rightarrow})$, where for any $f,g \colon X \to Y$,
+
+<p style="text-align: center;">
+$$
+f \dot{\Rightarrow} g  \;\;\equiv\;\; \forall x \bullet\; f(x) \leq g(x)
+$$
+</p>
+
+
+
+In particular, if $Y$ is the set of booleans ordered by implication (`false` $\leq$ `true`),
+then the set of predicates over any domain $X$ forms a complete lattice.
+Tarski's Theorem [@Tarski:theorem] tells us that any monotonic function over a
+complete lattice has a least and a greatest fixpoint.  In particular, this means that
+$\mathcal{F}$ has a least fixpoint and a greatest fixpoint, provided $\mathcal{F}$ is monotonic.
+
+Speaking about the _set of solutions_ in $f$ to [the general equation](#eq-general) is the same as speaking
+about the _set of fixpoints_ of functor $\mathcal{F}$.  In particular, the least and greatest
+solutions to [the general equation](#eq-general) are the same as the least and greatest fixpoints of $\mathcal{F}$.
+In casual speak, it happens that we say "fixpoint of [the general equation](#eq-general)", or more
+grotesquely, "fixpoint of $f$" when we really mean "fixpoint of $\mathcal{F}$".
+
+To conclude our little excursion into lattice theory, we have that, under the
+proviso of $\mathcal{F}$ being monotonic, the set of solutions in $f$ to [the general equation](#eq-general) is nonempty,
+and among these solutions, there is in the $\dot{\Rightarrow}$ ordering a least solution (that is,
+a function that returns `false` more often than any other) and a greatest solution (that
+is, a function that returns `true` more often than any other).
+
+When discussing extreme solutions, let's now restrict our attention to boolean functions
+(that is, with $Y$ being the type of booleans).  Functor $\mathcal{F}$ is monotonic
+if the calls to $f$ in $\mathcal{F}'(f)$ are in _positive positions_ (that is, under an even number
+of negations).  Indeed, from now on, we will restrict our attention to such monotonic
+functors $\mathcal{F}$.
+
+Here is a running example.  Consider the following equation,
+where $x$ ranges over the integers:
+
+<p style="text-align: center;" id="eq-EvenNat" title="the EvenNat equation">
+$$
+g(x) = (x = 0 \:\vee\: g(x-2))
+$$
+</p>
+
+This equation has four solutions in $g$.  With $w$ ranging over the integers, they are:
+
+<p style="text-align: center;">
+$$
+ \begin{array}{r@{}l}
+  g(x) \;\;\equiv\;\;{}&  x \in \{w \;|\; 0 \leq w \;\wedge\; w\textrm{ even}\} \\
+  g(x) \;\;\equiv\;\;{}&  x \in \{w \;|\; w\textrm{ even}\} \\
+  g(x) \;\;\equiv\;\;{}&  x \in \{w \;|\; (0 \leq w \;\wedge\; w\textrm{ even}) \:\vee\: w\textrm{ odd}\} \\
+  g(x) \;\;\equiv\;\;{}&  x \in \{w \;|\; \mathit{true}\}
+  \end{array}
+$$
+</p>
+
+
+The first of these is the least solution and the last is the greatest solution.
+
+In the literature, the definition of an extreme predicate is often given as a set of
+_inference rules_.  To designate the least solution, a single line separating the
+antecedent (on top) from conclusion (on bottom) is used:
+
+<p style="text-align: center;" id="g-ind-rule" title="the inductive rules">
+  $$\dfrac{}{g(0)} \qquad\qquad \dfrac{g(x-2)}{g(x)}$$
+</p>
+
+Through repeated applications of such rules, one can show that the predicate holds for
+a particular value.  For example, the _derivation_, or _proof tree_,
+to the left in [the proof tree figure](#fig-proof-trees) shows that $g(6)$ holds.
+(In this simple example, the derivation is a rather degenerate proof "tree".)
+The use of these inference rules gives rise to a least solution, because proof trees are
+accepted only if they are _finite_.
+
+When inference rules are to designate the greatest solution, a thick
+line is used:
+
+<p style="text-align: center;" id="g-coind-rule" title="the coinductive rules">
+    $$\genfrac{}{}{1.2pt}0{}{g(0)}
+  \qquad\qquad
+    \genfrac{}{}{1.2pt}0{g(x-2)}{g(x)}$$
+</p>
+
+In this case, proof trees are allowed to be infinite.
+For example, the left-hand example below shows a finite proof tree that uses [the inductive rules](#g-ind-rule) to establish $g(6)$.
+On the right is a partial depiction of an infinite proof tree that uses [the coinductive rules](#g-coind-rule) to establish $g(1)$.
+
+<p style="text-align: center;" id="fig-proof-trees" title="the proof tree figure">
+$$\dfrac{
+  \dfrac{
+    \dfrac{
+      \dfrac{}{g(0)}
+      }{g(2)}
+    }{g(4)}
+  }{g(6)}
+\qquad\qquad
+\genfrac{}{}{1.2pt}0{
+  \genfrac{}{}{1.2pt}0{
+    \genfrac{}{}{1.2pt}0{
+      \genfrac{}{}{1.2pt}0{
+          {} {\vdots }
+        }{g(-5)}
+      }{g(-3)}
+    }{g(-1)}
+  }{g(1)}$$
+</p>
+
+
+Note that derivations may not be unique.  For example, in the case of the greatest
+solution for $g$, there are two proof trees that establish $g(0)$:  one is the finite
+proof tree that uses the left-hand rule of [these coinductive rules](#g-coind-rule) once, the other is the infinite
+proof tree that keeps on using the right-hand rule of [these coinductive rules](#g-coind-rule).
+
+### 12.4.2. Working with Extreme Predicates {#sec-extreme-predicates}
+
+In general, one cannot evaluate whether or not an extreme predicate holds for some
+input, because doing so may take an infinite number of steps.  For example, following
+the recursive calls in the definition [the EvenNat equation](#eq-EvenNat) to try to evaluate $g(7)$ would never
+terminate.  However, there are useful ways to establish that an extreme predicate holds
+and there are ways to make use of one once it has been established.
+
+For any $\mathcal{F}$ as in [the general equation](#eq-general), define two infinite series of well-founded
+functions, ${ {}^{\flat}\kern-1mm f}_k$ and ${ {}^{\sharp}\kern-1mm f}_k$
+where $k$ ranges over the natural numbers:
+
+<p style="text-align: center;" id="eq-least-approx" title="the least approx definition">
+$$
+   { {}^{\flat}\kern-1mm f}_k(x) = \left\{
+    \begin{array}{ll}
+      \mathit{false}         & \textrm{if } k = 0 \\
+      \mathcal{F}({ {}^{\flat}\kern-1mm f}_{k-1})(x) & \textrm{if } k > 0
+    \end{array}
+     \right\} 
+$$
+</p>
+
+<p style="text-align: center;" id="eq-greatest-approx" title="the greatest approx definition">
+$$
+   { {}^{\sharp}\kern-1mm f}_k(x) = \left\{
+    \begin{array}{ll}
+      \mathit{true}          & \textrm{if } k = 0 \\
+      \mathcal{F}({ {}^{\sharp}\kern-1mm f}_{k-1})(x) & \textrm{if } k > 0
+    \end{array}
+    \right\} 
+$$
+</p>
+
+These functions are called the _iterates_ of $f$, and we will also refer to them
+as the _prefix predicates_ of $f$ (or the _prefix predicate_ of $f$, if we think
+of $k$ as being a parameter).
+Alternatively, we can define ${ {}^{\flat}\kern-1mm f}_k$ and ${ {}^{\sharp}\kern-1mm f}_k$ without mentioning $x$:
+let $\bot$ denote the function that always returns `false`, let $\top$
+denote the function that always returns `true`, and let a superscript on $\mathcal{F}$ denote
+exponentiation (for example, $\mathcal{F}^0(f) = f$ and $\mathcal{F}^2(f) = \mathcal{F}(\mathcal{F}(f))$).
+Then, [the least approx definition](#eq-least-approx) and [the greatest approx definition](#eq-greatest-approx) can be stated equivalently as
+${ {}^{\flat}\kern-1mm f}_k = \mathcal{F}^k(\bot)$ and ${ {}^{\sharp}\kern-1mm f}_k = \mathcal{F}^k(\top)$.
+
+For any solution $f$ to [the general equation](#eq-general), we have, for any $k$ and $\ell$
+such that $k \leq \ell$:
+
+
+<p style="text-align: center;" id="eq-prefix-postfix" title="the prefix postfix result">$$
+ {\;{}^{\flat}\kern-1mm f}_k    \quad\;\dot{\Rightarrow}\;\quad {\;{}^{\flat}\kern-1mm f}_\ell \quad\;\dot{\Rightarrow}\;\quad f      \quad\;\dot{\Rightarrow}\;\quad {\;{}^{\sharp}\kern-1mm f}_\ell \quad\;\dot{\Rightarrow}\;\quad { {}^{\sharp}\kern-1mm f}_k $$</p>
+
+In other words, every ${\;{}^{\flat}\kern-1mm f}\_{k}$ is a _pre-fixpoint_ of $f$ and every ${\;{}^{\sharp}\kern-1mm f}\_{k}$ is a _post-fixpoint_
+of $f$.  Next, define two functions, $f^{\downarrow}$ and $f^{\uparrow}$, in
+terms of the prefix predicates:
+
+<p style="text-align: center;" id="eq-least-is-exists" title="the least exists definition">$$
+ f^{\downarrow}(x) \;=\;  \exists k \bullet\; { {}^{\flat}\kern-1mm f}_k(x) $$</p>
+<p style="text-align: center;" id="eq-greatest-is-forall" title="the greatest forall definition">$$
+  f^{\uparrow}(x) \;=\;  \forall k \bullet\; { {}^{\sharp}\kern-1mm f}_k(x) $$</p>
+
+By [the prefix postfix result](#eq-prefix-postfix), we also have that $f^{\downarrow}$ is a pre-fixpoint of $\mathcal{F}$ and $f^{\uparrow}$
+is a post-fixpoint of $\mathcal{F}$.  The marvelous thing is that, if $\mathcal{F}$ is _continuous_, then
+$f^{\downarrow}$ and $f^{\uparrow}$ are the least and greatest fixpoints of $\mathcal{F}$.
+These equations let us do proofs by induction when dealing with extreme predicates.
+[The extreme predicate section](#sec-friendliness) explains how to check for continuity.
+
+Let's consider two examples, both involving function $g$ in
+[the EvenNat equation](#eq-EvenNat).  As it turns out, $g$'s defining functor is continuous,
+and therefore I will write $g^{\downarrow}$ and $g^{\uparrow}$ to denote the
+least and greatest solutions for $g$ in [the EvenNat equation](#eq-EvenNat).
+
+#### 12.4.2.1. Example with Least Solution {#sec-example-least-solution}
+
+The main technique for establishing that $g^{\downarrow}(x)$ holds for some
+$x$, that is, proving something of the form $Q \Longrightarrow g^{\downarrow}(x)$, is to
+construct a proof tree like the one for $g(6)$ in [the proof tree figure](#fig-proof-trees).
+For a proof in this direction, since we're just
+applying the defining equation, the fact that
+we're using a least solution for $g$ never plays a role (as long as we
+limit ourselves to finite derivations).
+
+The technique for going in the other direction, proving something _from_ an established
+$g^{\downarrow}$ property, that is, showing something of the form $g^{\downarrow}(x) \Longrightarrow R$, typically
+uses induction on the structure of the proof tree.  When the antecedent of our proof
+obligation includes a predicate term $g^{\downarrow}(x)$, it is sound to
+imagine that we have been given a proof tree for $g^{\downarrow}(x)$.  Such a proof tree
+would be a data structure---to be more precise, a term in an
+_inductive datatype_.
+Least solutions like $g^{\downarrow}$ have been given the
+name _least predicate_.
+
+Let's prove $g^{\downarrow}(x) \Longrightarrow 0 \leq x \wedge x \text{ even}$.
+We split our task into two cases, corresponding to which of the two
+proof rules in [the inductive rules](#g-ind-rule) was the
+last one applied to establish $g^{\downarrow}(x)$.  If it was the left-hand rule, then $x=0$,
+which makes it easy to establish the conclusion of our proof goal.  If it was the
+right-hand rule, then we unfold the proof tree one level and obtain $g^{\downarrow}(x-2)$.
+Since the proof tree for $g^{\downarrow}(x-2)$ is smaller than where we started, we invoke
+the _induction hypothesis_ and obtain $0 \leq (x-2) \wedge (x-2) \textrm{ even}$, from which
+it is easy to establish the conclusion of our proof goal.
+
+Here's how we do the proof formally using [the least exists definition](#eq-least-is-exists).  We massage the
+general form of our proof goal:
+
+<p style="text-align: center;">
+$$
+\begin{array}{lll}
+    & f^{\uparrow}(x) \;\Longrightarrow\; R  & \\
+  = &  & \textrm{ (the least exists definition) }    \\
+    & (\exists k \bullet\; { {}^{\flat}\kern-1mm f}_k(x)) \;\Longrightarrow\; R    &     \\
+  = &  & \text{distribute} \;\Longrightarrow\; \text{over} \;\exists\; \text{to the left}  \\
+    & \forall k \bullet\; ({ {}^{\flat}\kern-1mm f}_k(x) \;\Longrightarrow\; R)        &       
+\end{array}
+$$
+</p>
+
+The last line can be proved by induction over $k$.  So, in our case, we prove
+${ {}^{\flat}\kern-1mm g}\_k(x) \Longrightarrow 0 \leq x \wedge x \textrm{ even}$ for every $k$.
+If $k = 0$, then ${ {}^{\flat}\kern-1mm g}\_k(x)$ is `false`, so our goal holds trivially.
+If $k > 0$, then ${ {}^{\flat}\kern-1mm g}\_k(x) = (x = 0 \:\vee\: { {}^{\flat}\kern-1mm g}\_{k-1}(x-2))$.  Our goal holds easily
+for the first disjunct ($x=0$).  For the other disjunct,
+we apply the induction hypothesis (on the smaller $k-1$ and with $x-2$) and
+obtain $0 \leq (x-2)\;\wedge\; (x-2) \textrm{ even}$, from which our proof goal
+follows.
+
+#### 12.4.2.2. Example with Greatest Solution {#sec-example-greatest-solution}
+
+We can think of a predicate $g^{\uparrow}(x)$ as being represented
+by a proof tree---in this case a term in a _coinductive datatype_,
+since the proof may be infinite.
+Greatest solutions like $g^{\uparrow}$ have
+been given the name _greatest predicate_.
+The main technique for proving something from a given proof tree, that
+is, to prove something of the form $g^{\uparrow}(x) \;\Longrightarrow\; R$, is to
+destruct the proof.  Since this is just unfolding the defining
+equation, the fact that we're using a greatest solution for $g$ never
+plays a role (as long as we limit ourselves to a finite number of
+unfoldings).
+
+To go in the other direction, to establish a predicate defined as a greatest solution,
+like $Q \Longrightarrow g^{\uparrow}(x)$, we may need an infinite number of steps.  For this purpose,
+we can use induction's dual, _coinduction_.  Were it not for one little detail, coinduction
+is as simple as continuations in programming: the next part of the proof obligation
+is delegated to the _coinduction hypothesis_.  The little detail is making sure that
+it is the "next" part we're passing on for the continuation, not the same part.  This
+detail is called _productivity_ and corresponds to the requirement in
+induction of making sure we're going down a well-founded relation when
+applying the induction hypothesis.  There are
+many sources with more information, see for example the classic account by
+Jacobs and Rutten [@JacobsRutten:IntroductionCoalgebra]
+or a new attempt by Kozen and Silva
+that aims to emphasize the simplicity, not the mystery, of
+coinduction [@KozenSilva:Coinduction].
+
+Let's prove $\mathit{true} \Longrightarrow g^{\uparrow}(x)$.  The intuitive coinductive proof goes like this:
+According to the right-hand rule of [these coinductive rules](#g-coind-rule), $g^{\uparrow}(x)$ follows if we
+establish $g^{\uparrow}(x-2)$, and that's easy to do by invoking the coinduction hypothesis.
+The "little detail", productivity, is satisfied in this proof because we applied
+a rule in [these coinductive rules](#g-coind-rule) before invoking the coinduction hypothesis.
+
+For anyone who may have felt that the intuitive proof felt too easy, here is a formal
+proof using [the greatest forall definition](#eq-greatest-is-forall), which relies only on induction.  We massage the
+general form of our proof goal:
+
+
+<p style="text-align: center;">
+$$
+\begin{array}{lll}
+    & Q \;\Longrightarrow\; f^{\uparrow}(x)           &             \\
+  = &  & \textrm{ (the greatest forall definition) }   \\
+    & Q \;\Longrightarrow\; \forall k \bullet\; { {}^{\sharp}\kern-1mm f}_k(x)  &  \\
+  = &  & \text{distribute} \;\Longrightarrow\; \text{over} \;\forall\; \text{to the right } \\
+    & \forall k \bullet\; Q \;\Longrightarrow\; { {}^{\sharp}\kern-1mm f}_k(x)                 &
+\end{array}
+$$
+</p>
+
+
+The last line can be proved by induction over $k$.  So, in our case, we prove
+$\mathit{true} \;\Longrightarrow\; { {}^{\sharp}\kern-1mm g}_k(x)$ for every $k$.
+If $k=0$, then ${ {}^{\sharp}\kern-1mm g}\_k(x)$ is $\mathit{true}$, so our goal holds trivially.
+If $k > 0$, then ${ {}^{\sharp}\kern-1mm g}\_k(x) = (x = 0 \:\vee\: { {}^{\sharp}\kern-1mm g}\_{k-1}(x-2))$.  We establish the second
+disjunct by applying the induction hypothesis (on the smaller $k-1$ and with $x-2$).
+
+
+### 12.4.3. Other Techniques
+
+Although this section has considered only well-founded functions and extreme
+predicates, it is worth mentioning that there are additional ways of making sure that
+the set of solutions to [the general equation](#eq-general) is nonempty.  For example, if all calls to $f$ in
+$\mathcal{F}'(f)$ are _tail-recursive calls_, then (under the assumption that $Y$ is nonempty) the set of
+solutions is nonempty.  To see this, consider an attempted evaluation of $f(x)$ that fails
+to determine a definite result value because of an infinite chain of calls that applies $f$
+to each value of some subset $X'$ of $X$.  Then, apparently, the value of $f$ for any one
+of the values in $X'$ is not determined by the equation, but picking any particular result
+value for these makes for a consistent definition.
+This was pointed out by Manolios and Moore [@ManoliosMoore:PartialFunctions].
+Functions can be underspecified in this way in the proof assistants ACL2 [@ACL2:book]
+and HOL [@Krauss:PhD].
+
+## 12.5. Functions in Dafny
+
+This section explains with examples the support in
+Dafny for well-founded functions, extreme predicates,
+and proofs regarding these, building on the concepts 
+explained in the previous section.
+
+
+### 12.5.1. Well-founded Functions in Dafny
+
+Declarations of well-founded functions are unsurprising.  For example, the Fibonacci
+function is declared as follows:
+
+<!-- %check-verify -->
+```dafny
+function fib(n: nat): nat
+{
+  if n < 2 then n else fib(n-2) + fib(n-1)
+}
+```
+
+Dafny verifies that the body (given as an expression in curly braces) is well defined.
+This includes decrement checks for recursive (and mutually recursive) calls.  Dafny
+predefines a well-founded relation on each type and extends it to lexicographic tuples
+of any (fixed) length.  For example, the well-founded relation $x \ll y$ for integers
+is $x < y \;\wedge\; 0 \leq y$, the one for reals is $x \leq y - 1.0 \;\wedge\; 0.0 \leq y$
+(this is the same ordering as for integers, if you read the integer
+relation as $x \leq y - 1 \;\wedge\; 0 \leq y$), the one for inductive
+datatypes is structural inclusion,
+and the one for coinductive datatypes is `false`.
+
+Using a `decreases` clause, the programmer can specify the term in this predefined
+order.  When a function definition omits a `decreases` clause, Dafny makes a simple
+guess.  This guess (which can be inspected by hovering over the function name in the
+Dafny IDE) is very often correct, so users are rarely bothered to provide explicit
+`decreases` clauses.
+
+If a function returns `bool`, one can drop the result type `: bool` and change the
+keyword `function` to `predicate`.
+
+### 12.5.2. Proofs in Dafny {#sec-proofs-in-dafny}
+
+Dafny has `lemma` declarations, as described in [Section 6.3.3](#sec-lemmas):
+lemmas can have pre- and postcondition specifications and their body is a code block.
+Here is the lemma we stated and proved in [the fib example](#sec-fib-example) in the previous section:
+
+<!-- %check-verify -->
+```dafny
+lemma FibProperty(n: nat)
+  ensures fib(n) % 2 == 0 <==> n % 3 == 0
+{
+  if n < 2 {
+  } else {
+    FibProperty(n-2); FibProperty(n-1);
+  }
+}
+function fib(n: nat): nat
+{
+  if n < 2 then n else fib(n-2) + fib(n-1)
+}
+```
+
+The postcondition of this lemma (keyword `ensures`) gives the proof
+goal.  As in any program-correctness logic (e.g.,
+[@Hoare:AxiomaticBasis]), the postcondition must
+be established on every control path through the lemma's body.  For
+`FibProperty`, I give the proof by
+an `if` statement, hence introducing a case split.  The then branch is empty, because
+Dafny can prove the postcondition automatically in this case.  The else branch
+performs two recursive calls to the lemma.  These are the invocations of the induction
+hypothesis and they follow the usual program-correctness rules,
+namely: the precondition must hold at the call site, the call must terminate, and then
+the caller gets to assume the postcondition upon return.  The "proof glue" needed
+to complete the proof is done automatically by Dafny.
+
+Dafny features an aggregate statement using which it is possible to make (possibly
+infinitely) many calls at once.  For example, the induction hypothesis can be called
+at once on all values `n'` smaller than `n`:
+
+<!-- %no-check -->
+```dafny
+forall n' | 0 <= n' < n {
+  FibProperty(n');
+}
+```
+
+For our purposes, this corresponds to _strong induction_.  More
+generally, the `forall` statement has the form
+
+<!-- %no-check -->
+```dafny
+forall k | P(k)
+  ensures Q(k)
+{ Statements; }
+```
+
+Logically, this statement corresponds to _universal introduction_: the body proves that
+`Q(k)` holds for an arbitrary `k` such that `P(k)`, and the conclusion of the `forall` statement
+is then $\forall k \bullet\; P(k) \;\Longrightarrow\; Q(k)$.  When the body of the `forall` statement is
+a single call (or `calc` statement), the `ensures` clause is inferred and can be omitted,
+like in our `FibProperty` example.
+
+Lemma `FibProperty` is simple enough that its whole body can be replaced by the one
+`forall` statement above.  In fact, Dafny goes one step further: it automatically
+inserts such a `forall` statement at the beginning of every lemma [@Leino:induction].
+Thus, `FibProperty` can be declared and proved simply by:
+
+<!-- %check-verify -->
+```dafny
+lemma FibProperty(n: nat)
+  ensures fib(n) % 2 == 0 <==> n % 3 == 0
+{ }
+function fib(n: nat): nat
+{
+  if n < 2 then n else fib(n-2) + fib(n-1)
+}
+```
+
+Going in the other direction from universal introduction is existential elimination,
+also known as Skolemization.  Dafny has a statement for this, too:
+for any variable `x` and boolean expression `Q`, the
+_assign such that_ statement `x :| Q;` says to assign to `x` a value such that `Q`
+will hold.  A proof obligation when using this statement is to show that there
+exists an `x` such that `Q` holds.  For example, if the fact
+$\\exists k \bullet\; 100 \leq \mathit{fib}(k) < 200$ is known, then the statement
+`k :| 100 <= fib(k) < 200;` will assign to `k` some value (chosen arbitrarily)
+for which `fib(k)` falls in the given range.
+
+### 12.5.3. Extreme Predicates in Dafny {#sec-friendliness}
+
+The previous subsection explained that a `predicate` declaration introduces a
+well-founded predicate.  The declarations for introducing extreme predicates are
+`least predicate` and `greatest predicate`.  Here is the definition of the least and
+greatest solutions of $g$ from above; let's call them `g` and `G`:
+
+<!-- %check-verify -->
+```dafny
+least predicate g[nat](x: int) { x == 0 || g(x-2) }
+greatest predicate G[nat](x: int) { x == 0 || G(x-2) }
+```
+
+When Dafny receives either of these definitions, it automatically declares the corresponding
+prefix predicates.  Instead of the names ${ {}^{\flat}\kern-1mm g}_k$ and ${ {}^{\sharp}\kern-1mm g}_k$ that I used above, Dafny
+names the prefix predicates `g#[k]` and `G#[k]`, respectively, that is, the name of
+the extreme predicate appended with `#`, and the subscript is given as an argument in
+square brackets.  The definition of the prefix predicate derives from the body of
+the extreme predicate and follows the form in [the least approx definition](#eq-least-approx) and [the greatest approx definition](#eq-greatest-approx).
+Using a faux-syntax for illustrative purposes, here are the prefix
+predicates that Dafny defines automatically from the extreme
+predicates `g` and `G`:
+
+<!-- %no-check -->
+```dafny
+predicate g#[_k: nat](x: int) { _k != 0 && (x == 0 || g#[_k-1](x-2)) }
+predicate G#[_k: nat](x: int) { _k != 0 ==> (x == 0 || G#[_k-1](x-2)) }
+```
+
+The Dafny verifier is aware of the connection between extreme predicates and their
+prefix predicates, [the least exists definition](#eq-least-is-exists) and [the greatest forall definition](#eq-greatest-is-forall).
+
+Remember that to be well defined, the defining functor of an extreme predicate
+must be monotonic, and for [the least exists definition](#eq-least-is-exists) and [the greatest forall definition](#eq-greatest-is-forall) to hold,
+the functor must be continuous.  Dafny enforces the former of these by checking that
+recursive calls of extreme predicates are in positive positions.  The continuity
+requirement comes down to checking that they are also in _continuous positions_:
+that recursive calls to least predicates are
+not inside unbounded universal quantifiers and that recursive calls to greatest predicates
+are not inside unbounded existential quantifiers [@Milner:CCS; @LeinoMoskal:Coinduction].
+
+### 12.5.4. Proofs about Extreme Predicates
+
+From what has been presented so far, we can do the formal proofs for
+[the example about the least solution](#sec-example-least-solution) and [the example about the greatest solution](#sec-example-greatest-solution).  Here is the
+former:
+
+<!-- %check-verify -->
+```dafny
+least predicate g[nat](x: int) { x == 0 || g(x-2) }
+greatest predicate G[nat](x: int) { x == 0 || G(x-2) }
+lemma EvenNat(x: int)
+  requires g(x)
+  ensures 0 <= x && x % 2 == 0
+{
+  var k: nat :| g#[k](x);
+  EvenNatAux(k, x);
+}
+lemma EvenNatAux(k: nat, x: int)
+  requires g#[k](x)
+  ensures 0 <= x && x % 2 == 0
+{
+  if x == 0 { } else { EvenNatAux(k-1, x-2); }
+}
+```
+
+Lemma `EvenNat` states the property we wish to prove.  From its
+precondition (keyword `requires`) and
+[the least exists definition](#eq-least-is-exists), we know there is some `k` that will make the condition in the
+assign-such-that statement true.  Such a value is then assigned to `k` and passed to
+the auxiliary lemma, which promises to establish the proof goal.  Given the condition
+`g#[k](x)`, the definition of `g#` lets us conclude `k != 0` as well as the disjunction
+`x == 0 || g#[k-1](x-2)`.  The then branch considers the case of the first disjunct,
+from which the proof goal follows automatically.  The else branch can then assume
+`g#[k-1](x-2)` and calls the induction hypothesis with those parameters.  The proof
+glue that shows the proof goal for `x` to follow from the proof goal with `x-2` is
+done automatically.
+
+Because Dafny automatically inserts the statement
+
+<!-- %no-check -->
+```dafny
+forall k', x' | 0 <= k' < k && g#[k'](x') {
+  EvenNatAux(k', x');
+}
+```
+
+at the beginning of the body of `EvenNatAux`, the body can be left empty and Dafny
+completes the proof automatically.
+
+Here is the Dafny program that gives the proof from [the example of the greatest solution](#sec-example-greatest-solution):
+
+<!-- %check-verify -->
+```dafny
+least predicate g[nat](x: int) { x == 0 || g(x-2) }
+greatest predicate G[nat](x: int) { x == 0 || G(x-2) }
+lemma Always(x: int)
+  ensures G(x)
+{ forall k: nat { AlwaysAux(k, x); } }
+lemma AlwaysAux(k: nat, x: int)
+  ensures G#[k](x)
+{ }
+```
+
+While each of these proofs involves only basic proof rules, the setup feels a bit clumsy,
+even with the empty body of the auxiliary lemmas.  Moreover,
+the proofs do not reflect the intuitive proofs described in
+[the example of the least solution](#sec-example-least-solution) and [the example of the greatest solution](#sec-example-greatest-solution).
+These shortcomings are addressed in the next subsection.
+
+### 12.5.5. Nicer Proofs of Extreme Predicates {#sec-nicer-proofs-of-extremes}
+
+The proofs we just saw follow standard forms:
+use Skolemization to convert the least predicate into a prefix predicate for some `k`
+and then do the proof inductively over `k`; respectively,
+by induction over `k`, prove the prefix predicate for every `k`, then use
+universal introduction to convert to the greatest predicate.
+With the declarations `least lemma` and `greatest lemma`, Dafny offers to
+set up the proofs
+in these standard forms.  What is gained is not just fewer characters in the program
+text, but also a possible intuitive reading of the proofs.  (Okay, to be fair, the
+reading is intuitive for simpler proofs; complicated proofs may or may not be intuitive.)
+
+Somewhat analogous to the creation of prefix predicates from extreme predicates, Dafny
+automatically creates a _prefix lemma_ `L#` from each "extreme lemma" `L`.  The pre-
+and postconditions of a prefix lemma are copied from those of the extreme lemma,
+except for the following replacements:
+* for a least lemma, Dafny looks in the precondition to find calls (in positive, continuous
+positions) to least predicates `P(x)` and replaces these with `P#[_k](x)`;
+* for a greatest lemma,
+  Dafny looks in the postcondition to find calls (in positive, continuous positions)
+  to greatest predicates `P` (including equality among coinductive datatypes, which is a built-in
+  greatest predicate) and replaces these with `P#[_k](x)`.
+In each case, these predicates `P` are the lemma's _focal predicates_.
+
+The body of the extreme lemma is moved to the prefix lemma, but with
+replacing each recursive
+call `L(x)` with `L#[_k-1](x)` and replacing each occurrence of a call
+to a focal predicate
+`P(x)` with `P#[_k-1](x)`.  The bodies of the extreme lemmas are then replaced as shown
+in the previous subsection.  By construction, this new body correctly leads to the
+extreme lemma's postcondition.
+
+Let us see what effect these rewrites have on how one can write proofs.  Here are the proofs
+of our running example:
+
+<!-- %check-verify -->
+```dafny
+least predicate g(x: int) { x == 0 || g(x-2) }
+greatest predicate G(x: int) { x == 0 || G(x-2) }
+least lemma EvenNat(x: int)
+  requires g(x)
+  ensures 0 <= x && x % 2 == 0
+{ if x == 0 { } else { EvenNat(x-2); } }
+greatest lemma Always(x: int)
+  ensures G(x)
+{ Always(x-2); }
+```
+
+Both of these proofs follow the intuitive proofs given in
+[the example of the least solution](#sec-example-least-solution) and [the example of the greatest solution](#sec-example-greatest-solution).  Note that in these
+simple examples, the user is never bothered with either prefix predicates nor
+prefix lemmas---the proofs just look like "what you'd expect".
+
+Since Dafny automatically inserts calls to the induction hypothesis at the beginning of
+each lemma, the bodies of the given extreme lemmas `EvenNat` and
+`Always` can be empty and Dafny still completes the proofs.
+Folks, it doesn't get any simpler than that!
+
+## 12.6. Variable Initialization and Definite Assignment {#sec-definite-assignment}
+
+The Dafny language semantics ensures that any use (read) of a variable (or constant,
+parameter, object field, or array element) gives a value of the variable's type.
+It is easy to see that this property holds for any variable that is declared with
+an initializing assignment. However, for many useful programs, it would be too strict
+to require an initializing assignment at the time a variable is declared.
+Instead, Dafny ensures the property through _auto-initialization_ and rules for _definite assignment_.
+
+As explained in [section 5.3.1](#sec-type-characteristics), each type in Dafny is one of the following:
+
+- _auto-init type_: the type is nonempty and the compiler has some way to emit code that constructs a value
+- _nonempty type_: the type is nonempty, but the compiler does not know how perform automatic initialization
+- _possibly empty type_: the type is not known for sure to have a value
+
+For a variable of an auto-init type, the compiler can initialize the variable automatically.
+This means that the variable can be used immediately after declaration, even if the program does not
+explicitly provide an initializing assignment.
+
+In a ghost context, one can an imagine a "ghost" that initializes variables. Unlike the compiler, such
+a "ghost" does not need to emit code that constructs an initializing value; it suffices for the ghost to
+know that a value exists. Therefore, in a ghost context, a variable of a nonempty type can be used immediately
+after declaration.
+
+Before a variable of a possibly empty type can be used, the program must initialize it.
+The variable need not be given a value when it is declared,
+but it must have a value by the time it is first used. Dafny uses the precision of the verifier to
+reason about the control flow between assignments and uses of variables, and it reports an error
+if it cannot assure itself that the variable has been given a value.
+
+The elements of an array must be assured to have values already in the statement that allocates the array.
+This is achieved in any of the following four ways:
+- If the array is allocated to be empty (that is, one of its dimensions is requested to be 0), then
+  the array allocation trivially satisfies the requirement.
+- If the element type of the array is an auto-init type, then nothing further is required by the program.
+- If the array allocation occurs in a ghost context and the element type is a nonempty type, then nothing
+  further is required by the program.
+- Otherwise, the array allocation must provide an initialization display or an initialization function.
+See [section 5.10](#sec-array-type) for information about array initialization.
+
+The fields of a class must have values by the end of the first phase of each constructor (that is, at
+the explicit or implicit `new;` statement in the constructor). If a class has a compiled field that is
+not of an auto-init type, or if it has a ghost field of a possibly empty type, then the class is required
+to declare a(t least one) constructor.
+
+The yield-parameters of an `iterator` turn into fields of the corresponding iterator class, but there
+is no syntactic place to give these initial values. Therefore, every compiled yield-parameter must be of
+auto-init types and every ghost yield-parameter must be of an auto-init or nonempty type.
+
+For local variables and out-parameters, Dafny supports two definite-assignment modes:
+- A strict mode (the default, which is `--relax-definite-assignment=false`; or `/definiteAssignment:4`
+  in the legacy CLI), in which local variables and out-parameters are always subject
+  to definite-assignment rules, even for auto-initializable types.
+- A relaxed mode (enabled by the option `--relax-definite-assignment`; or `/definiteAssignment:1`
+  in the legacy CLI), in which the auto-initialization (or, for ghost variables and parametes, nonemptiness)
+  is sufficient to satisfy the definite assignment rules.
+
+A program using the strict mode can still indicate that it is okay with an arbitrary value of a variable `x`
+by using an assignment statement `x := *;`, provided the type of `x` is an auto-init type (or, if `x` is
+ghost, a nonempty type). (If `x` is of a possibly nonempty type, then `x := *;` is still allowed, but it
+sets `x` to a value of its type only if the type actually contains a value. Therefore, when `x` is of
+a possibly empty type, `x := *;` does not count as a definite assignment to `x`.)
+
+Note that auto-initialization is nondeterministic. Dafny only guarantees that each value it assigns to
+a variable of an auto-init type is _some_ value of the type. Indeed, a variable may be auto-initialized
+to different values in different runs of the program or even at different times during the same run of
+the program. In other words, Dafny does not guarantee the "zero-equivalent value" initialization that
+some languages do. Along these lines, also note that the `witness` value provided in some subset-type
+declarations is not necessarily the value chosen by auto-initialization, though it does esstablish that
+the type is an auto-init type.
+
+In some programs (for example, in some test programs), it is desirable to avoid nondeterminism.
+For that purpose, Dafny provides an `--enforce-determinism` option. It forbids use of any program
+statement that may have nondeterministic behavior and it disables auto-initialization.
+This mode enforces definite assignments everywhere, going beyond what the strict mode does by enforcing
+definite assignment also for fields and array elements. It also forbids the use of `iterator` declarations
+and `constructor`-less `class` declarations. It is up to a user's build process to ensure that
+`--enforce-determinism` is used consistently throughout the program. (In the legacy CLI, this
+mode is enabled by `/definiteAssignment:3`.)
+
+[This document](../Compilation/AutoInitialization), which is intended for developers of the
+Dafny tool itself, has more detail on auto-initialization and how it is implemented.
+
+Finally, note that `--relax-definite-assignment=false` is the default in the command-based CLI,
+but, for backwards compatibility, the relaxed rules (`/definiteAssignment:1) are still the default
+in the legacy CLI.
+
+## 12.7. Well-founded Orders {#sec-well-founded-orders}
+
+The well-founded order relations for a variety of built-in types in Dafny
+are given in the following table:
+
+| type of `X` and `x`    | `x` strictly below `X`   |
+|:-----------------------|:---------------------------------------------------------------|
+| `bool`                 | `X && !x`                                                      |
+| `int`                  | `x < X && 0 <= X`                                              |
+| `real`                 | `x <= X - 1.0 && 0.0 <= X`                                     |
+| `set<T>`               | `x` is a proper subset of `X`                                  |
+| `multiset<T>`               | `x` is a proper multiset-subset of `X`                                  |
+| `seq<T>`               | `x` is a consecutive proper sub-sequence of `X`                |
+| `map<K, V>`               | `x.Keys` is a proper subset of `X.Keys`                |
+| inductive datatypes    | `x` is structurally included in `X`                            |
+| reference types | `x == null && X != null` |
+| coinductive datatypes | `false` |
+| type parameter | `false` |
+| arrow types | `false` |
+
+Also, there are a few relations between the rows in the table above. For example, a datatype value `x` sitting inside a set that sits inside another datatype value `X` is considered to be strictly below `X`. Here's an illustration of that order, in a program that verifies:
+
+<!-- %check-verify -->
+```dafny
+datatype D = D(s: set<D>)
+
+method TestD(dd: D) {
+  var d := dd;
+  while d != D({})
+    decreases d
+  {
+    var x :| x in d.s;
+    d := x;
+  }
+}
+```
+
+## 12.8. Quantifier instantiation rules {#sec-quantifier-triggers}
+During verification, when Dafny knows that a universal quantifier is true, such as when verifying the body of a function that has the requires clause `forall x :: f(x) == 1`, it may instantiate the quantifier. Instantiation means Dafny will pick a value for all the variables of the quantifier, leading to a new expression, which it hopes to use to prove an assertion. In the above example, instantiating using `3` for `x` will lead to the expression `f(3) == 1`.
+
+For each universal quantifier, Dafny generates rules to determine which instantiations are worthwhile doing. We call these rules triggers, a term that originates from SMT solvers. If Dafny can not generate triggers for a specific quantifier, it falls back to a set of generic rules. However, this is likely to be problematic, since the generic rules can cause many useless instantiations, leading to verification timing out or failing to proof a valid assertion. When the generic rules are used, Dafny emits a warning telling the user no triggers were found for the quantifier, indicating the Dafny program should be changed so Dafny can find triggers for this quantifier.
+
+Here follows the approach Dafny uses to generate triggers based on a quantifier. Dafny finds terms in the quantifier body where a quantified variable is used in an operation, such as in a function application `P(x)`, array access `a[x]`, member accesses `x.someField`, or set membership tests `x in S`. To find a trigger, Dafny must find a set of such terms so that each quantified variable is used. You can investigate which triggers Dafny finds by hovering over quantifiers in the IDE and looking for 'Selected triggers', or by using the options `--show-tooltips` when using the LCI.
+
+There are particular expressions which, for technical reasons, Dafny can not use as part of a trigger. Among others, these expression include: [match](#sec-match-expression), [let](#sec-let-expression), [arithmetic operations and logical connectives](#sec-expressions). For example, in the quantifier `forall x :: x in S ⇐⇒ f(x) > f(x+1)`, Dafny will use `x in S` and `f(x)` as trigger terms, but will not use `x+1` or any terms that contain it. You can investigate which triggers Dafny can not use by hovering over quantifiers in the IDE and looking for 'Rejected triggers', or by using the options `--show-tooltips` when using the LCI.
+
+Besides not finding triggers, another problematic situation is when Dafny was able to generate triggers, but believes the triggers it found may still cause useless instantiations because they create matching loops. Dafny emits a warning when this happens, indicating the Dafny program should be changed so Dafny can find triggers for this quantifier that do not cause matching loops.
+
+To understand matching loops, one needs to understand how triggers are used. During a single verification run, such as verifying a method or function, Dafny maintains a set of expressions which it believes to be true, which we call the ground terms. For example, in the body of a method, Dafny knows the requires clauses of that method hold, so the expressions in those will be ground terms. When Dafny steps through the statements of the body, the set of ground terms grows. For example, when an assignment `var x := 3` is evaluated, a ground term `x == 3` will be added. Given a universal quantifier that's a ground term, Dafny will try to pattern match its triggers on sub-expressions of other ground terms. If the pattern matches, that sub-expression is used to instantiate the quantifier. 
+
+Dafny makes sure not to perform the exact same instantiation twice. However, if an instantiation leads to a new term that also matches the trigger, but is different from the term used for the instantiation, the quantifier may be instantiated too often, an event we call a matching loop. For example, given the ground terms `f(3)` and `forall x {f(x)} :: f(x) + f(f(x))`, where `{f(x)}` indicates the trigger for the quantifier, Dafny may instantiate the quantifier using `3` for `x`. This creates a new ground term `f(3) + f(f(3))`, of which the right hand side again matches the trigger, allowing Dafny to instantiate the quantifier again using `f(3)` for `x`, and again and again, leading to an unbounded amount of instantiations.
+
+Even existential quantifiers need triggers. This is because when Dafny determines an existential quantifier is false, for example in the body of a method that has `requires !exists x :: f(x) == 2`, Dafny will use a logical rewrite rule to change this existential into a universal quantifier, so it becomes `requires forall x :: f(x) != 2`. Before verification, Dafny can not determine whether quantifiers will be determined to be true or false, so it must assume any quantifier may turn into a universal quantifier, and thus they all need triggers. Besides quantifiers, comprehensions such as set and map comprehensions also need triggers, since these are modeled using universal quantifiers.
+
+Dafny may report 'Quantifier was split into X parts'. This occurs when Dafny determines it can only generate good triggers for a quantifier by splitting it into multiple smaller quantifiers, whose aggregation is logically equivalent to the original one. To maintain logical equivalence, Dafny may have to generate more triggers than if the split had been done manually in the Dafny source file. An example is the expression `forall x :: P(x) && (Q(x) =⇒ P(x+1))`, which Dafny will split into
+<!-- %no-check -->
+```dafny
+forall x {P(x)} {Q(x)} :: P(x) &&
+forall x {(Q(x)} :: Q(x) =⇒ P(x+1)
+```
+
+Note the trigger `{Q(x)}` in the first quantifier, which was added to maintain equivalence with the original quantifier. If the quantifier had been split in source, only the trigger `{P(x)}` would have been added for `forall x :: P(x)`.
diff --git a/v4.10.0/DafnyRef/Types.1.expect b/v4.10.0/DafnyRef/Types.1.expect
new file mode 100644
index 0000000..f6eb2fa
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.1.expect
@@ -0,0 +1,2 @@
+text.dfy(3,16): Error: literal (5) is too large for the bitvector type bv2
+1 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Types.10.expect b/v4.10.0/DafnyRef/Types.10.expect
new file mode 100644
index 0000000..264588a
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.10.expect
@@ -0,0 +1,3 @@
+text.dfy(1,5): Error: cannot find witness that shows type is inhabited (only tried 0); try giving a hint through a 'witness' or 'ghost witness' clause, or use 'witness *' to treat as a possibly empty type
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Types.10a.expect b/v4.10.0/DafnyRef/Types.10a.expect
new file mode 100644
index 0000000..9e19ac5
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.10a.expect
@@ -0,0 +1,4 @@
+text.dfy(3,0): Error: a postcondition could not be proved on this return path
+text.dfy(2,16): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Types.11.expect b/v4.10.0/DafnyRef/Types.11.expect
new file mode 100644
index 0000000..881c05e
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.11.expect
@@ -0,0 +1,3 @@
+text.dfy(11,25): Error: argument at index 1 for parameter 'd' could not be proved to be allocated in the two-state function's previous state -- if you add 'new' before the parameter declaration, like 'new d: Cell', arguments can refer to expressions possibly unallocated in the previous state
+
+Dafny program verifier finished with 2 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Types.12.expect b/v4.10.0/DafnyRef/Types.12.expect
new file mode 100644
index 0000000..ef354a0
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.12.expect
@@ -0,0 +1,3 @@
+text.dfy(10,27): Error: argument at index 0 for parameter 'c' could not be proved to be allocated in the two-state function's previous state -- if you add 'new' before the parameter declaration, like 'new c: Cell', arguments can refer to expressions possibly unallocated in the previous state
+
+Dafny program verifier finished with 2 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Types.13.expect b/v4.10.0/DafnyRef/Types.13.expect
new file mode 100644
index 0000000..9249f3a
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.13.expect
@@ -0,0 +1,2 @@
+text.dfy(4,2): Error: a exists expression involved in a predicate definition is not allowed to depend on the set of allocated references, but values of 'p' (of type 'Path') may contain references (see documentation for 'older' parameters)
+1 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Types.14.expect b/v4.10.0/DafnyRef/Types.14.expect
new file mode 100644
index 0000000..1f202a3
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.14.expect
@@ -0,0 +1,3 @@
+text.dfy(3,2): Error: a forall expression involved in a predicate definition is not allowed to depend on the set of allocated references, but values of 'x' (of type 'X') may contain references (perhaps declare its type as 'X(!new)') (see documentation for 'older' parameters)
+text.dfy(3,2): Error: a forall expression involved in a predicate definition is not allowed to depend on the set of allocated references, but values of 'y' (of type 'X') may contain references (perhaps declare its type as 'X(!new)') (see documentation for 'older' parameters)
+2 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Types.15.expect b/v4.10.0/DafnyRef/Types.15.expect
new file mode 100644
index 0000000..f21c802
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.15.expect
@@ -0,0 +1,2 @@
+text.dfy(4,16): Error: second argument to "in" must be a set, multiset, or sequence with elements of type Path, or a map with domain Path (instead got set<Node>) (expecting element type to be assignable to Node (got Path))
+1 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Types.16.expect b/v4.10.0/DafnyRef/Types.16.expect
new file mode 100644
index 0000000..5062ed6
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.16.expect
@@ -0,0 +1,3 @@
+text.dfy(7,2): Error: a forall expression involved in a predicate definition is not allowed to depend on the set of allocated references, but values of 'x' (of type 'X') may contain references (perhaps declare its type as 'X(!new)') (see documentation for 'older' parameters)
+text.dfy(7,2): Error: a forall expression involved in a predicate definition is not allowed to depend on the set of allocated references, but values of 'y' (of type 'X') may contain references (perhaps declare its type as 'X(!new)') (see documentation for 'older' parameters)
+2 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Types.17.expect b/v4.10.0/DafnyRef/Types.17.expect
new file mode 100644
index 0000000..9144685
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.17.expect
@@ -0,0 +1,3 @@
+text.dfy(5,15): Error: array type array does not have an anonymous constructor
+text.dfy(6,15): Error: array type array does not have an anonymous constructor
+2 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Types.18.expect b/v4.10.0/DafnyRef/Types.18.expect
new file mode 100644
index 0000000..f535e45
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.18.expect
@@ -0,0 +1,2 @@
+text.dfy(14,4): Error: RHS (of type (int, int) -> int) not assignable to LHS (of type int -> int)
+1 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Types.19.expect b/v4.10.0/DafnyRef/Types.19.expect
new file mode 100644
index 0000000..e513b84
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.19.expect
@@ -0,0 +1,3 @@
+text.dfy(9,2): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Types.2.expect b/v4.10.0/DafnyRef/Types.2.expect
new file mode 100644
index 0000000..97d16d7
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.2.expect
@@ -0,0 +1,2 @@
+text.dfy(5,15): Error: Ambiguous use of &, |, ^. Use parentheses to disambiguate.
+1 parse errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Types.20.expect b/v4.10.0/DafnyRef/Types.20.expect
new file mode 100644
index 0000000..df1d037
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.20.expect
@@ -0,0 +1,5 @@
+text.dfy(26,0): Error: a postcondition could not be proved on this return path
+text.dfy(25,15): Related location: this is the postcondition that could not be proved
+text.dfy(10,9): Related location: this proposition could not be proved
+
+Dafny program verifier finished with 1 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Types.21.expect b/v4.10.0/DafnyRef/Types.21.expect
new file mode 100644
index 0000000..22303ff
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.21.expect
@@ -0,0 +1,4 @@
+text.dfy(8,4): Error: field 'x', which is subject to definite-assignment rules, might be uninitialized at this point in the constructor body
+text.dfy(10,4): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 2 errors
diff --git a/v4.10.0/DafnyRef/Types.22.expect b/v4.10.0/DafnyRef/Types.22.expect
new file mode 100644
index 0000000..8b56f1c
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.22.expect
@@ -0,0 +1,2 @@
+text.dfy(5,27): Error: name of type synonym (IntPair) is used as a function
+1 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Types.25.expect b/v4.10.0/DafnyRef/Types.25.expect
new file mode 100644
index 0000000..9091193
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.25.expect
@@ -0,0 +1,3 @@
+text.dfy(3,4): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Types.26.expect b/v4.10.0/DafnyRef/Types.26.expect
new file mode 100644
index 0000000..99a48f2
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.26.expect
@@ -0,0 +1,2 @@
+text.dfy(3,9): Error: type parameter (T) passed to type A must be nonempty (got Q) (perhaps try declaring abstract type 'Q' on line 2 as 'Q(00)', which says it can only be instantiated with a nonempty type)
+1 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Types.3.expect b/v4.10.0/DafnyRef/Types.3.expect
new file mode 100644
index 0000000..d97fcc5
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.3.expect
@@ -0,0 +1,2 @@
+text.dfy(4,18): Error: arguments must have comparable types (got bv5 and bv6)
+1 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Types.4.expect b/v4.10.0/DafnyRef/Types.4.expect
new file mode 100644
index 0000000..1ff5ae0
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.4.expect
@@ -0,0 +1,3 @@
+text.dfy(4,11): Error: value to be converted might not fit in bv3
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Types.5.expect b/v4.10.0/DafnyRef/Types.5.expect
new file mode 100644
index 0000000..711cbcb
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.5.expect
@@ -0,0 +1,2 @@
+text.dfy(4,14): Error: literal (25) is too large for the bitvector type bv4
+1 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Types.6.expect b/v4.10.0/DafnyRef/Types.6.expect
new file mode 100644
index 0000000..e431309
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.6.expect
@@ -0,0 +1,2 @@
+text.dfy(1,20): Error: literal (11) is too large for the bitvector type bv3
+1 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Types.7a.expect b/v4.10.0/DafnyRef/Types.7a.expect
new file mode 100644
index 0000000..126cd8b
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.7a.expect
@@ -0,0 +1,3 @@
+text.dfy(5,2): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Types.7b.expect b/v4.10.0/DafnyRef/Types.7b.expect
new file mode 100644
index 0000000..6a174de
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.7b.expect
@@ -0,0 +1,3 @@
+text.dfy(5,0): Error: out-parameter 'x', which is subject to definite-assignment rules, might be uninitialized at this return point
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/Types.8.expect b/v4.10.0/DafnyRef/Types.8.expect
new file mode 100644
index 0000000..dd8e7d2
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.8.expect
@@ -0,0 +1,4 @@
+text.dfy(6,0): Error: out-parameter 'b', which is subject to definite-assignment rules, might be uninitialized at this return point
+text.dfy(6,0): Error: out-parameter 'h', which is subject to definite-assignment rules, might be uninitialized at this return point
+
+Dafny program verifier finished with 0 verified, 2 errors
diff --git a/v4.10.0/DafnyRef/Types.9.expect b/v4.10.0/DafnyRef/Types.9.expect
new file mode 100644
index 0000000..8100593
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.9.expect
@@ -0,0 +1,3 @@
+text.dfy(10,10): Error: type parameter (T) passed to type ResultN must contain no references (got C)
+text.dfy(12,10): Error: type parameter (T) passed to type ResultN must contain no references (got array<int>)
+2 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/DafnyRef/Types.md b/v4.10.0/DafnyRef/Types.md
new file mode 100644
index 0000000..744008a
--- /dev/null
+++ b/v4.10.0/DafnyRef/Types.md
@@ -0,0 +1,4624 @@
+# 5. Types {#sec-types}
+
+A Dafny type is a (possibly-empty) set of values or heap data-structures,
+together with allowed operations on those values.
+Types are classified as mutable reference types or immutable value types,
+depending on whether their values are stored in the heap or are 
+(mathematical) values independent of the heap.
+
+Dafny supports the following kinds of types,
+all described in later sections of this manual:
+* [builtin scalar types](#sec-basic-type), 
+* [builtin collection types](#sec-collection-types), 
+* [reference types](#sec-class-types) (classes, traits, iterators),
+* [tuple types](#sec-tuple-types) (including as a special case a parenthesized type),
+* [inductive](#sec-datatype) and [coinductive](#sec-coinductive-datatypes) datatypes, 
+* [function (arrow) types](#sec-arrow-subset-types), and
+* [types, such as subset types, derived from other types](#sec-subset-types).
+
+## 5.1. Kinds of types
+### 5.1.1. Value Types
+The value types are those whose values do not lie in the program heap.
+These are:
+
+* The basic scalar types: `bool`, `char`, `int`, `real`, `ORDINAL`, bitvector types
+* The built-in collection types: `set`, `iset`, `multiset`, `seq`, `string`, `map`, `imap`
+* Tuple Types
+* Inductive and coinductive types
+* Function (arrow) types
+* Subset and newtypes that are based on value types
+
+Data items having value types are passed by value. Since they are not
+considered to occupy _memory_, framing expressions do not reference them.
+
+The `nat` type is a pre-defined [subset type](#sec-subset-types) of `int`.
+
+Dafny does not include types themselves as values, nor is there a type of types.
+
+### 5.1.2. Reference Types {#sec-reference-types}
+Dafny offers a host of _reference types_.  These represent
+_references_ to objects allocated dynamically in the program heap.  To
+access the members of an object, a reference to (that is, a _pointer_
+to or _object identity_ of) the object is _dereferenced_.
+
+The reference types are class types, traits and array types.
+Dafny supports both reference types that contain the special `null` value
+(_nullable types_) and reference types that do not (_non-null types_).
+
+### 5.1.3. Named Types ([grammar](#g-type))
+
+A _Named Type_ is used to specify a user-defined type by a (possibly module- or class-qualified) name.
+Named types are introduced by
+class, trait, inductive, coinductive, synonym and abstract
+type declarations. They are also used to refer to type variables.
+A Named Type is denoted by a dot-separated sequence of name segments ([Section 9.32](#sec-name-segment)).
+
+A name segment (for a type) is a type name optionally followed by a
+_generic instantiation_, which supplies type parameters to a generic
+type, if needed.
+
+The following sections describe each of these kinds of types in more detail.
+
+<!--PDF NEWPAGE-->
+## 5.2. Basic types {#sec-basic-type}
+
+Dafny offers these basic types: `bool` for booleans, `char` for
+characters, `int` and `nat` for integers, `real` for reals,
+`ORDINAL`, and bit-vector types.
+
+### 5.2.1. Booleans ([grammar](#g-basic-type)) {#sec-booleans}
+
+There are two boolean values and each has a corresponding literal in
+the language:  `false` and `true`.
+
+Type `bool` supports the following operations:
+
+ operator           | precedence | description
+--------------------|:----------:|------------------------------------
+ `<==>`             | 1 | equivalence (if and only if)
+--------------------|------------------------------------
+ `==>`              | 2 | implication (implies)
+ `<==`              | 2 | reverse implication (follows from)
+--------------------|------------------------------------
+ `&&`               | 3 | conjunction (and)
+ `||`               | 3 |  disjunction (or)
+--------------------|------------------------------------
+ `==`               | 4 | equality
+ `!=`               | 4 | disequality
+--------------------|------------------------------------
+ `!`                | 10 | negation (not)
+
+Negation is unary; the others are binary.  The table shows the operators
+in groups of increasing binding power, with equality binding stronger
+than conjunction and disjunction, and weaker than negation.  Within
+each group, different operators do not associate, so parentheses need
+to be used.  For example,
+<!-- %no-check -->
+```dafny
+A && B || C    // error
+```
+would be ambiguous and instead has to be written as either
+<!-- %no-check -->
+```dafny
+(A && B) || C
+```
+or
+<!-- %no-check -->
+```dafny
+A && (B || C)
+```
+depending on the intended meaning.
+
+#### 5.2.1.1. Equivalence Operator {#sec-equivalence-operator}
+
+The expressions `A <==> B` and `A == B` give the same value, but note
+that `<==>` is _associative_ whereas `==` is _chaining_ and they have
+different precedence.  So,
+<!-- %no-check -->
+```dafny
+A <==> B <==> C
+```
+is the same as
+<!-- %no-check -->
+```dafny
+A <==> (B <==> C)
+```
+and
+<!-- %no-check -->
+```dafny
+(A <==> B) <==> C
+```
+whereas
+<!-- %no-check -->
+```dafny
+A == B == C
+```
+is simply a shorthand for
+<!-- %no-check -->
+```dafny
+A == B && B == C
+```
+
+Also,
+<!-- %no-check -->
+```dafny
+A <==> B == C <==> D
+```
+is
+<!-- %no-check -->
+```dafny
+A <==> (B == C) <==> D
+```
+
+
+#### 5.2.1.2. Conjunction and Disjunction {#sec-conjunction-and-disjunction}
+
+Conjunction and disjunction are associative.  These operators are
+_short circuiting (from left to right)_, meaning that their second
+argument is evaluated only if the evaluation of the first operand does
+not determine the value of the expression.  Logically speaking, the
+expression `A && B` is defined when `A` is defined and either `A`
+evaluates to `false` or `B` is defined.  When `A && B` is defined, its
+meaning is the same as the ordinary, symmetric mathematical
+conjunction `&`.  The same holds for `||` and `|`.
+
+#### 5.2.1.3. Implication and  Reverse Implication {#sec-implication-and-reverse-implication}
+
+Implication is _right associative_ and is short-circuiting from left
+to right.  Reverse implication `B <== A` is exactly the same as
+`A ==> B`, but gives the ability to write the operands in the opposite
+order.  Consequently, reverse implication is _left associative_ and is
+short-circuiting from _right to left_.  To illustrate the
+associativity rules, each of the following four lines expresses the
+same property, for any `A`, `B`, and `C` of type `bool`:
+<!-- %no-check -->
+```dafny
+A ==> B ==> C
+A ==> (B ==> C) // parentheses redundant, ==> is right associative
+C <== B <== A
+(C <== B) <== A // parentheses redundant, <== is left associative
+```
+To illustrate the short-circuiting rules, note that the expression
+`a.Length` is defined for an array `a` only if `a` is not `null` (see
+[Section 5.1.2](#sec-reference-types)), which means the following two
+expressions are [well-formed](#sec-assertion-batches):
+<!-- %no-check -->
+```dafny
+a != null ==> 0 <= a.Length
+0 <= a.Length <== a != null
+```
+The contrapositives of these two expressions would be:
+<!-- %no-check -->
+```dafny
+a.Length < 0 ==> a == null  // not well-formed
+a == null <== a.Length < 0  // not well-formed
+```
+but these expressions might not necessarily be [well-formed](#sec-assertion-batches), since well-formedness
+requires the left (and right, respectively) operand, `a.Length < 0`,
+to be [well-formed](#sec-assertion-batches) in their context.
+
+Implication `A ==> B` is equivalent to the disjunction `!A || B`, but
+is sometimes (especially in specifications) clearer to read.  Since,
+`||` is short-circuiting from left to right, note that
+<!-- %no-check -->
+```dafny
+a == null || 0 <= a.Length
+```
+is [well-formed](#sec-assertion-batches) by itself, whereas
+<!-- %no-check -->
+```dafny
+0 <= a.Length || a == null  // not well-formed
+```
+is not if the context cannot prove that `a != null`.
+
+In addition, booleans support _logical quantifiers_ (forall and
+exists), described in [Section 9.31.4](#sec-quantifier-expression).
+
+### 5.2.2. Numeric Types ([grammar](#g-basic-type)) {#sec-numeric-types}
+
+Dafny supports _numeric types_ of two kinds, _integer-based_, which
+includes the basic type `int` of all integers, and _real-based_, which
+includes the basic type `real` of all real numbers.  User-defined
+numeric types based on `int` and `real`, either _subset types_ or _newtypes_,
+are described in [Section 5.6.3](#sec-subset-types) and [Section 5.7](#sec-newtypes).
+
+There is one built-in [_subset type_](#sec-subset-types),
+`nat`, representing the non-negative subrange of `int`.
+
+The language includes a literal for each integer, like
+`0`, `13`, and `1985`.  Integers can also be written in hexadecimal
+using the prefix "`0x`", as in `0x0`, `0xD`, and `0x7c1` (always with
+a lower case `x`, but the hexadecimal digits themselves are case
+insensitive).  Leading zeros are allowed.  To form negative literals,
+use the unary minus operator, as in `-12`, but not `-(12)`.
+
+There are also literals for some of the reals.  These are
+written as a decimal point with a nonempty sequence of decimal digits
+on both sides, optionally prefixed by a `-` character.
+For example, `1.0`, `1609.344`, `-12.5`, and `0.5772156649`.
+Real literals using exponents are not supported in Dafny. For now, you'd have to write your own function for that, e.g. 
+<!-- %check-verify -->
+```dafny
+// realExp(2.37, 100) computes 2.37e100
+function realExp(r: real, e: int): real decreases if e > 0 then e else -e {
+  if e == 0 then r
+  else if e < 0 then realExp(r/10.0, e+1)
+  else realExp(r*10.0, e-1)
+}
+```
+
+For integers (in both decimal and hexadecimal form) and reals,
+any two digits in a literal may be separated by an underscore in order
+to improve human readability of the literals.  For example:
+<!-- %check-verify -->
+```dafny
+const c1 := 1_000_000        // easier to read than 1000000
+const c2 := 0_12_345_6789    // strange but legal formatting of 123456789
+const c3 := 0x8000_0000      // same as 0x80000000 -- hex digits are
+                             // often placed in groups of 4
+const c4 := 0.000_000_000_1  // same as 0.0000000001 -- 1 Angstrom
+```
+
+In addition to equality and disequality, numeric types
+support the following relational operations, which have the
+same precedence as equality:
+
+ operator          | description
+-------------------|------------------------------------
+  `<`              | less than
+  `<=`             | at most
+  `>=`             | at least
+  `>`              | greater than
+
+Like equality and disequality, these operators are chaining, as long
+as they are chained in the "same direction".  That is,
+<!-- %no-check -->
+```dafny
+A <= B < C == D <= E
+```
+is simply a shorthand for
+<!-- %no-check -->
+```dafny
+A <= B && B < C && C == D && D <= E
+```
+whereas
+<!-- %no-check -->
+```dafny
+A < B > C
+```
+is not allowed.
+
+There are also operators on each numeric type:
+
+ operator        | precedence | description
+-----------------|:---:|------------------------------------
+  `+`            | 6 | addition (plus)
+  `-`            | 6 | subtraction (minus)
+-----------------|------------------------------------
+  `*`            | 7 | multiplication (times)
+  `/`            | 7 | division (divided by)
+  `%`            | 7 | modulus (mod)  -- int only
+-----------------|------------------------------------
+  `-`            | 10 | negation (unary minus)
+
+The binary operators are left associative, and they associate with
+each other in the two groups.
+The groups are listed in order of
+increasing binding power, with equality binding less strongly than any of these operators.
+There is no implicit conversion between `int` and `real`: use `as int` or
+`as real` conversions to write an explicit conversion (cf. [Section 9.10](#sec-as-is-expression)).
+
+Modulus is supported only for integer-based numeric types.  Integer
+division and modulus are the _Euclidean division and modulus_.  This
+means that modulus always returns a non-negative value, regardless of the
+signs of the two operands.  More precisely, for any integer `a` and
+non-zero integer `b`,
+<!-- %no-check -->
+```dafny
+a == a / b * b + a % b
+0 <= a % b < B
+```
+where `B` denotes the absolute value of `b`.
+
+Real-based numeric types have a member `Floor` that returns the
+_floor_ of the real value (as an int value), that is, the largest integer not exceeding
+the real value.  For example, the following properties hold, for any
+`r` and `r'` of type `real`:
+<!-- %check-verify -->
+```dafny
+method m(r: real, r': real) {
+  assert 3.14.Floor == 3;
+  assert (-2.5).Floor == -3;
+  assert -2.5.Floor == -2; // This is -(2.5.Floor)
+  assert r.Floor as real <= r;
+  assert r <= r' ==> r.Floor <= r'.Floor;
+}
+```
+Note in the third line that member access (like `.Floor`) binds
+stronger than unary minus.  The fourth line uses the conversion
+function `as real` from `int` to `real`, as described in
+[Section 9.10](#sec-as-is-expression).
+
+### 5.2.3. Bit-vector Types ([grammar](#g-basic-type)) {#sec-bit-vector-types}
+
+Dafny includes a family of bit-vector types, each type having a specific,
+constant length, the number of bits in its values.
+Each such type is
+distinct and is designated by the prefix `bv` followed (without white space) by
+a positive integer without leading zeros or zero, stating the number of bits. For example,
+`bv1`, `bv8`, and `bv32` are legal bit-vector type names.
+The type `bv0` is also legal; it is a bit-vector type with no bits and just one value, `0x0`.
+
+Constant literals of bit-vector types are given by integer literals converted automatically
+to the designated type, either by an implicit or explicit conversion operation or by initialization in a declaration.
+Dafny checks that the constant literal is in the correct range. For example,
+<!-- %check-resolve Types.1.expect -->
+```dafny
+const i: bv1 := 1
+const j: bv8 := 195
+const k: bv2 := 5 // error - out of range
+const m := (194 as bv8) | (7 as bv8)
+```
+
+Bit-vector values can be converted to and from `int` and other bit-vector types, as long as
+the values are in range for the target type. Bit-vector values are always considered unsigned.
+
+Bit-vector operations include bit-wise operators and arithmetic operators
+(as well as equality, disequality, and comparisons).
+The arithmetic operations
+truncate the high-order bits from the results; that is, they perform
+unsigned arithmetic modulo 2^{number of bits}, like 2's-complement machine arithmetic.
+
+ operator        | precedence | description
+-----------------|:---:|------------------------------------
+ `<<`            | 5 | bit-limited bit-shift left
+ `>>`            | 5 | unsigned bit-shift right
+-----------------|------------------------------------
+  `+`            | 6 | bit-limited addition
+  `-`            | 6 | bit-limited subtraction
+-----------------|------------------------------------
+  `*`            | 7 | bit-limited multiplication
+-----------------|------------------------------------
+  `&`            | 8 | bit-wise and
+  `|`            | 8 | bit-wise or 
+  `^`            | 8 | bit-wise exclusive-or
+-----------------|------------------------------------
+  `-`            | 10 | bit-limited negation (unary minus)
+  `!`            | 10 | bit-wise complement
+-----------------|------------------------------------
+  .RotateLeft(n) | 11 | rotates bits left by n bit positions
+  .RotateRight(n)| 11 | rotates bits right by n bit positions
+
+The groups of operators lower in the table above bind more tightly.[^binding]
+All operators bind more tightly than equality, disequality, and comparisons.
+All binary operators are left-associative, but the 
+bit-wise `&`, `|`, and `^` do not associate together (parentheses are required to disambiguate).
+The `+`, `|`, `^`, and `&` operators are commutative.
+
+The right-hand operand of bit-shift operations is an `int` value,
+must be non-negative, and
+no more than the number of bits in the type.
+There is no signed right shift as all bit-vector values correspond to
+non-negative integers.
+
+Bit-vector negation returns an unsigned value in the correct range for the type.
+It has the properties `x + (-x) == 0` and `(!x) + 1 == -x`, for a bitvector value `x`
+of at least one bit.
+
+The argument of the `RotateLeft` and `RotateRight` operations is a
+non-negative `int` that is no larger than the bit-width of the value being rotated.
+`RotateLeft` moves bits to higher bit positions (e.g., `(2 as bv4).RotateLeft(1) == (4 as bv4)`
+and `(8 as bv4).RotateLeft(1) == (1 as bv4)`);
+`RotateRight` moves bits to lower bit positions, so `b.RotateLeft(n).RotateRight(n) == b`.
+
+Here are examples of the various operations (all the assertions are true except where indicated):
+<!-- %check-verify -->
+```dafny
+const i: bv4 := 9
+const j: bv4 := 3
+
+method m() {
+  assert (i & j) == (1 as bv4);
+  assert (i | j) == (11 as bv4);
+  assert (i ^ j) == (10 as bv4);
+  assert !i == (6 as bv4);
+  assert -i == (7 as bv4);
+  assert (i + i) == (2 as bv4);
+  assert (j - i) == (10 as bv4);
+  assert (i * j) == (11 as bv4);
+  assert (i as int) / (j as int) == 3;
+  assert (j << 1) == (6 as bv4);
+  assert (i << 1) == (2 as bv4);
+  assert (i >> 1) == (4 as bv4);
+  assert i == 9; // auto conversion of literal to bv4
+  assert i * 4 == j + 8 + 9; // arithmetic is modulo 16
+  assert i + j >> 1 == (i + j) >> 1; // + - bind tigher than << >>
+  assert i + j ^ 2 == i + (j^2);
+  assert i * j & 1 == i * (j&1); // & | ^ bind tighter than + - *
+}
+```
+The following are incorrectly formed:
+<!-- %check-resolve Types.2.expect -->
+```dafny
+const i: bv4 := 9
+const j: bv4 := 3
+
+method m() {
+  assert i & 4 | j == 0 ; // parentheses required
+}
+```
+<!-- %check-resolve Types.3.expect -->
+```dafny
+const k: bv4 := 9
+
+method p() {
+  assert k as bv5 == 9 as bv6; // error: mismatched types
+}
+```
+These produce assertion errors:
+<!-- %check-verify Types.4.expect -->
+```dafny
+const i: bv4 := 9
+
+method m() {
+  assert i as bv3 == 1; // error: i is out of range for bv3
+}
+```
+<!-- %check-resolve Types.5.expect -->
+```dafny
+const j: bv4 := 9
+
+method n() {
+  assert j == 25; // error: 25 is out of range for bv4
+}
+```
+
+Bit-vector constants (like all constants) can be initialized using expressions, but pay attention
+to how type inference applies to such expressions. For example,
+<!-- %check-verify -->
+```dafny
+const a: bv3 := -1
+```
+is legal because Dafny interprets `-1` as a `bv3` expression, because `a` has type `bv3`.
+Consequently the `-` is `bv3` negation and the `1` is a `bv3` literal; the value of the expression `-1` is
+the `bv3` value `7`, which is then the value of `a`.
+
+On the other hand,
+<!-- %check-resolve Types.6.expect -->
+```dafny
+const b: bv3 := 6 & 11
+```
+is illegal because, again, the `&` is `bv3` bit-wise-and and the numbers must be valid `bv3` literals.
+But `11` is not a valid `bv3` literal.
+
+[^binding]: The binding power of shift and bit-wise operations is different than in C-like languages.
+
+### 5.2.4. Ordinal type ([grammar](#g-basic-type)) {#sec-ordinals}
+
+Values of type `ORDINAL` behave like `nat`s in many ways, with one important difference:
+there are `ORDINAL` values that are larger than any `nat`. The smallest of these non-nat ordinals is
+represented as $\omega$ in mathematics, though there is no literal expression in Dafny that represents this value.
+
+The natural numbers are ordinals.
+Any ordinal has a successor ordinal (equivalent to adding `1`).
+Some ordinals are _limit_ ordinals, meaning they are not a successor of any other ordinal;
+the natural number `0` and  $\omega$ are limit ordinals.
+
+The _offset_ of an ordinal is the number of successor operations it takes to reach it from a limit ordinal.
+
+The Dafny type `ORDINAL` has these member functions:
+- `o.IsLimit` -- true if `o` is a limit ordinal (including `0`)
+- `o.IsSucc` -- true if `o` is a successor to something, so `o.IsSucc <==> !o.IsLimit`
+- `o.IsNat` -- true if `o` represents a `nat` value, so for `n` a `nat`, `(n as ORDINAL).IsNat` is true
+and if `o.IsNat` is true then `(o as nat)` is well-defined
+- `o.Offset` -- is the `nat` value giving the offset of the ordinal
+
+In addition, 
+- non-negative numeric literals may be considered `ORDINAL` literals, so `o + 1` is allowed
+- `ORDINAL`s may be compared, using `== != < <= > >=`
+- two `ORDINAL`s may be added and the result is `>=` either one of them; addition is associative but not commutative
+- `*`, `/` and `%` are not defined for `ORDINAL`s
+- two `ORDINAL`s may be subtracted if the RHS satisfies `.IsNat` and the offset of the LHS is not smaller than the offset of the RHS
+
+In Dafny, `ORDINAL`s are used primarily in conjunction with [extreme functions and lemmas](#sec-extreme).
+
+### 5.2.5. Characters ([grammar](#g-basic-type)) {#sec-characters}
+
+Dafny supports a type `char` of _characters_.  
+Its exact meaning is controlled by the command-line switch `--unicode-char:true|false`.
+
+If `--unicode-char` is disabled, then `char` represents any [UTF-16 code unit](https://en.wikipedia.org/wiki/UTF-16).
+This includes surrogate code points.
+
+If `--unicode-char` is enabled, then `char` represents any [Unicode scalar value](https://unicode.org/glossary/#unicode_scalar_value).
+This excludes surrogate code points.
+
+Character literals are enclosed in single quotes, as in `'D'`. 
+To write a single quote as a
+character literal, it is necessary to use an _escape sequence_.
+Escape sequences can also be used to write other characters.  The
+supported escape sequences are the following:
+
+ escape sequence    | meaning
+--------------------|-------------------------------------------------------
+ `\'`               | the character `'`
+ `\"`               | the character `"`
+ `\\`               | the character `\`
+ `\0`               | the null character, same as `\u0000` or `\U{0}`
+ `\n`               | line feed
+ `\r`               | carriage return
+ `\t`               | horizontal tab
+ `\u`_xxxx_         | [UTF-16 code unit](https://en.wikipedia.org/wiki/UTF-16) whose hexadecimal code is _xxxx_,  where each _x_ is a hexadecimal digit
+ `\U{`_x..x_`}`     | [Unicode scalar value](https://unicode.org/glossary/#unicode_scalar_value) whose hexadecimal code is _x..x_,  where each _x_ is a hexadecimal digit
+
+The escape sequence for a double quote is redundant, because
+`'"'` and `'\"'` denote the same
+character---both forms are provided in order to support the same
+escape sequences in string literals ([Section 5.5.3.5](#sec-strings)).
+
+In the form `\u`_xxxx_, which is only allowed if `--unicode-char` is disabled,
+the `u` is always lower case, but the four
+hexadecimal digits are case insensitive.
+
+In the form `\U{`_x..x_`}`, 
+which is only allowed if `--unicode-char` is enabled,
+the `U` is always upper case,
+but the hexadecimal digits are case insensitive, and there must
+be at least one and at most six digits.
+Surrogate code points are not allowed.
+The hex digits may be interspersed with underscores for readability 
+(but not beginning or ending with an underscore), as in `\U{1_F680}`.
+
+Character values are ordered and can be compared using the standard
+relational operators:
+
+ operator        | description
+-----------------|-----------------------------------
+  `<`              | less than
+  `<=`             | at most
+  `>=`             | at least
+  `>`              | greater than
+
+Sequences of characters represent _strings_, as described in
+[Section 5.5.3.5](#sec-strings).
+
+Character values can be converted to and from `int` values using the
+`as int` and `as char` conversion operations. The result is what would
+be expected in other programming languages, namely, the `int` value of a
+`char` is the ASCII or Unicode numeric value.
+
+The only other operations on characters are obtaining a character
+by indexing into a string, and the implicit conversion to string
+when used as a parameter of a `print` statement.
+
+<!--PDF NEWPAGE-->
+## 5.3. Type parameters ([grammar](#g-type-parameter)) {#sec-type-parameters}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+type G1<T>
+type G2<T(0)>
+type G3<+T(==),-U>
+```
+
+Many of the types, functions, and methods in Dafny can be
+parameterized by types.  These _type parameters_ are 
+declared inside angle brackets and can stand for any type.
+
+Dafny has some inference support that makes certain signatures less
+cluttered (described in [Section 12.2](#sec-type-inference)).
+
+### 5.3.1. Declaring restrictions on type parameters {#sec-type-characteristics}
+
+It is sometimes necessary to restrict type parameters so that
+they can only be instantiated by certain families of types, that is,
+by types that have certain properties. These properties are known as
+_type characteristics_. The following subsections
+describe the type characteristics that Dafny supports.
+
+In some cases, type inference will infer that a type-parameter
+must be restricted in a particular way, in which case Dafny
+will add the appropriate suffix, such as `(==)`, automatically.
+
+If more than one restriction is needed, they are either
+listed comma-separated,
+inside the parentheses or as multiple parenthesized elements:
+ `T(==,0)` or `T(==)(0)`.
+
+When an actual type is substituted for a type parameter in a generic type instantiation,
+the actual type must have the declared or inferred type characteristics of the type parameter.
+These characteristics might also be inferred for the actual type. For example, a numeric-based
+subset or newtype automatically has the `==` relationship of its base type. Similarly, 
+type synonyms have the characteristics of the type they represent.
+
+An abstract type has no known characteristics. If it is intended to be defined only as types
+that have certain characteristics, then those characteristics must be declared.
+For example,
+<!-- %check-resolve Types.26.expect -->
+```dafny
+class A<T(00)> {}
+type Q
+const a: A<Q>
+```
+will give an error because it is not known whether the type `Q` is non-empty (`00`).
+Instead, one needs to write
+<!-- %check-resolve -->
+```dafny
+class A<T(00)> {}
+type Q(00)
+const a: A?<Q> := null
+```
+
+#### 5.3.1.1. Equality-supporting type parameters: `T(==)` {#sec-equality-supporting}
+
+Designating a type parameter with the `(==)` suffix indicates that
+the parameter may only be replaced in non-ghost contexts
+with types that are known to
+support run-time equality comparisons (`==` and `!=`).
+All types support equality in ghost contexts,
+as if, for some types, the equality function is ghost.
+
+For example,
+<!-- %check-verify -->
+```dafny
+method Compare<T(==)>(a: T, b: T) returns (eq: bool)
+{
+  if a == b { eq := true; } else { eq := false; }
+}
+```
+is a method whose type parameter is restricted to equality-supporting
+types when used in a non-ghost context.
+Again, note that _all_ types support equality in _ghost_
+contexts; the difference is only for non-ghost (that is, compiled)
+code.  Coinductive datatypes, arrow types, and inductive
+datatypes with ghost parameters are examples of types that are not
+equality supporting.
+
+#### 5.3.1.2. Auto-initializable types: `T(0)` {#sec-auto-init}
+
+At every access of a variable `x` of a type `T`, Dafny ensures that
+`x` holds a legal value of type `T`.
+If no explicit initialization is given, then an arbitrary value is
+assumed by the verifier and supplied by the compiler,
+that is, the variable is _auto-initialized_, but to an arbitrary value.
+For example,
+<!-- %check-verify Types.21.expect -->
+```dafny
+class Example<A(0), X> {
+  var n: nat
+  var i: int
+  var a: A
+  var x: X
+
+  constructor () {
+    new; // error: field 'x' has not been given a value`
+    assert n >= 0; // true, regardless of the value of 'n'
+    assert i >= 0; // possibly false, since an arbitrary 'int' may be negative
+    // 'a' does not require an explicit initialization, since 'A' is auto-init
+  }
+}
+```
+In the example above, the class fields do not need to be explicitly initialized
+in the constructor because they are auto-initialized to an arbitrary value.
+
+Local variables and out-parameters are however, subject to definite assignment
+rules. The following example requires `--relax-definite-assignment`,
+which is not the default.
+<!-- %check-verify Types.7a.expect %options --relax-definite-assignment -->
+```dafny
+method m() {
+  var n: nat; // Auto-initialized to an arbitrary value of type `nat`
+  assert n >= 0; // true, regardless of the value of n
+  var i: int;
+  assert i >= 0; // possibly false, arbitrary ints may be negative
+}
+```
+With the default behavior of definite assignment, `n` and `i` need to be initialized
+to an explicit value of their type or to an arbitrary value using, for example,
+`var n: nat := *;`.
+
+For some types (known as _auto-init types_), the compiler can choose an
+initial value, but for others it does not.
+Variables and fields whose type the compiler does not auto-initialize
+are subject to _definite-assignment_ rules. These ensure that the program
+explicitly assigns a value to a variable before it is used.
+For more details see [Section 12.6](#sec-definite-assignment) and the `--relax-definite-assignment` command-line option.
+More detail on auto-initializing is in [this document](../Compilation/AutoInitialization).
+
+Dafny supports auto-init as a type characteristic.
+To restrict a type parameter to auto-init types, mark it with the
+`(0)` suffix. For example,
+<!-- %check-verify Types.7b.expect %options --relax-definite-assignment -->
+```dafny
+method AutoInitExamples<A(0), X>() returns (a: A, x: X)
+{
+  // 'a' does not require an explicit initialization, since A is auto-init
+  // error: out-parameter 'x' has not been given a value
+}
+```
+In this example, an error is reported because out-parameter `x` has not
+been assigned---since nothing is known about type `X`, variables of
+type `X` are subject to definite-assignment rules. In contrast, since
+type parameter `A` is declared to be restricted to auto-init types,
+the program does not need to explicitly assign any value to the
+out-parameter `a`.
+
+#### 5.3.1.3. Nonempty types: `T(00)` {#sec-nonempty-types}
+
+Auto-init types are important in compiled contexts. In ghost contexts, it
+may still be important to know that a type is nonempty. Dafny supports
+a type characteristic for nonempty types, written with the suffix `(00)`.
+For example, with `--relax-definite-assignment`, the following example happens:
+
+<!-- %check-verify Types.8.expect %options --relax-definite-assignment -->
+```dafny
+method NonemptyExamples<B(00), X>() returns (b: B, ghost g: B, ghost h: X)
+{
+  // error: non-ghost out-parameter 'b' has not been given a value
+  // ghost out-parameter 'g' is fine, since its type is nonempty
+  // error: 'h' has not been given a value
+}
+```
+Because of `B`'s nonempty type characteristic, ghost parameter `g` does not
+need to be explicitly assigned. However, Dafny reports an error for the
+non-ghost `b`, since `B` is not an auto-init type, and reports an error
+for `h`, since the type `X` could be empty.
+
+Note that every auto-init type is nonempty.
+
+In the default definite-assignment mode (that is, without `--relax-definite-assignment`)
+there will be errors for all three formal parameters in the example just given.
+
+For more details see [Section 12.6](#sec-definite-assignment).
+
+#### 5.3.1.4. Non-heap based: `T(!new)` {#sec-non-heap-based}
+
+Dafny makes a distinction between types whose values are on the heap,
+i.e. references, like
+classes and arrays, and those that are strictly value-based, like basic
+types and datatypes.
+The practical implication is that references depend on allocation state
+(e.g., are affected by the `old` operation) whereas non-reference values
+are not.
+Thus it can be relevant to know whether the values of a type parameter
+are heap-based or not. This is indicated by the mode suffix `(!new)`.
+
+A type parameter characterized by `(!new)` is _recursively_ independent
+of the allocation state. For example, a datatype is not a reference, but for
+a parameterized data type such as
+<!-- %check-resolve -->
+```dafny
+datatype Result<T> = Failure(error: string) | Success(value: T)
+```
+the instantiation `Result<int>` satisfies `(!new)`, whereas
+`Result<array<int>>` does not.
+
+Note that this characteristic of a type parameter is operative for both
+verification and compilation.
+Also, abstract types at the topmost scope are always implicitly `(!new)`.
+
+Here are some examples:
+<!-- %check-resolve Types.9.expect -->
+```dafny
+datatype Result<T> = Failure(error: string) | Success(v: T)
+datatype ResultN<T(!new)> = Failure(error: string) | Success(v: T)
+
+class C {}
+
+method m() {
+  var x1: Result<int>;
+  var x2: ResultN<int>;
+  var x3: Result<C>;
+  var x4: ResultN<C>; // error
+  var x5: Result<array<int>>;
+  var x6: ResultN<array<int>>; // error
+}
+```
+
+### 5.3.2. Type parameter variance {#sec-type-parameter-variance}
+
+Type parameters have several different variance and cardinality properties.
+These properties of type parameters are designated in a generic type definition.
+For instance, in `type A<+T> = ... `, the `+` indicates that the `T` position
+is co-variant. These properties are indicated by the following notation:
+
+notation | variance | cardinality-preserving
+:-------:|----------|-----------------------
+(nothing) | non-variant | yes
+`+`      | co-variant | yes
+`-`      | contra-variant | not necessarily
+`*`      | co-variant | not necessarily
+`!`      | non-variant | not necessarily
+
+- _co-variance_ (`A<+T>` or `A<*T>`) means that if `U` is a subtype of `V` then `A<U>` is a subtype of `A<V>`
+- _contra-variance_ (`A<-T>`) means that if `U` is a subtype of `V` then `A<V>` is a subtype of `A<U>`
+- _non-variance_ (`A<T>` or `A<!T>`)  means that if `U` is a different type than `V` then there is no subtyping relationship between `A<U>` and `A<V>`
+
+_Cardinality preserving_ 
+means that the cardinality of the type being defined never exceeds the cardinality of any of its type parameters.
+For example `type T<X> = X -> bool`
+is illegal and returns the error message `formal type parameter 'X' is not used according to its variance specification (it is used left of an arrow) (perhaps try declaring 'X' as '-X' or '!X')`
+The type `X -> bool` has strictly more values than the type `X`. 
+This affects certain uses of the type, so Dafny requires the declaration of `T` to explicitly say so. 
+Marking the type parameter `X` with `-` or `!` announces that the cardinality of `T<X>` may by larger than that of `X`. 
+If you use `-`, you’re also declaring `T` to be contravariant in its type argument, and if you use `!`, you’re declaring that `T` is non-variant in its type argument.
+
+To fix it, we use the variance `!`:
+
+    type T<!X> = X -> bool
+
+This states that `T` does not preserve the cardinality of `X`, meaning there could be strictly more values of type `T<E>` than values of type `E` for any `E`.
+
+A more detailed explanation of these topics is [here](http://leino.science/papers/krml280.html).
+
+<!--PDF NEWPAGE-->
+## 5.4. Generic Instantiation ([grammar](#g-generic-instantiation)) {#sec-generic-instantiation}
+
+A generic instantiation consists of a comma-separated list of 1 or more Types,
+enclosed in angle brackets (`<` `>`),
+providing actual types to be used in place of the type parameters of the 
+declaration of the generic type.
+If there is no instantion for a generic type, type inference will try
+to fill these in (cf. [Section 12.2](#sec-type-inference)).
+
+<!--PDF NEWPAGE-->
+## 5.5. Collection types {#sec-collection-types}
+
+Dafny offers several built-in collection types.
+
+### 5.5.1. Sets ([grammar](#g-collection-type)) {#sec-sets}
+
+For any type `T`, each value of type `set<T>` is a finite set of
+`T` values.
+
+Set membership is determined by equality in the type `T`,
+so `set<T>` can be used in a non-ghost context only if `T` is
+[equality supporting](#sec-equality-supporting).
+
+For any type `T`, each value of type `iset<T>` is a potentially infinite
+set of `T` values.
+
+A set can be formed using a [_set display_ expression](#sec-set-display-expression), which is a
+possibly empty, unordered, duplicate-insensitive list of expressions
+enclosed in curly braces.  To illustrate,
+<!-- %no-check -->
+```dafny
+{}        {2, 7, 5, 3}        {4+2, 1+5, a*b}
+```
+are three examples of set displays. There is also a _set comprehension_
+expression (with a binder, like in logical quantifications), described in
+[Section 9.31.5](#sec-set-comprehension-expression).
+
+In addition to equality and disequality, set types
+support the following relational operations:
+
+ operator        | precedence | description
+-----------------|------------------------------------
+ `<`             | 4 | proper subset
+ `<=`            | 4 | subset
+ `>=`            | 4 | superset
+ `>`             | 4 | proper superset
+
+Like the arithmetic relational operators, these operators are
+chaining.
+
+Sets support the following binary operators, listed in order of
+increasing binding power:
+
+ operator      | precedence | description
+---------------|:---:|------------------------------------
+ `!!`          | 4 | disjointness
+---------------|------------------------------------
+ `+`           | 6 | set union
+ `-`           | 6 | set difference
+---------------|------------------------------------
+ `*`           | 7 |set intersection
+
+The associativity rules of `+`, `-`, and `*` are like those of the
+arithmetic operators with the same names.  The expression `A !! B`,
+whose binding power is the same as equality (but which neither
+associates nor chains with equality), says that sets `A` and `B` have
+no elements in common, that is, it is equivalent to
+<!-- %no-check -->
+```dafny
+A * B == {}
+```
+However, the disjointness operator is chaining though in a slightly different way than other chaining operators:
+ `A !! B !! C !! D` means that `A`, `B`, `C` and `D` are all mutually disjoint, that is
+<!-- %no-check -->
+```dafny
+A * B == {} && (A + B) * C == {} && (A + B + C) * D == {}
+```
+
+In addition, for any set `s` of type `set<T>` or `iset<T>` and any
+expression `e` of type `T`, sets support the following operations:
+
+ expression          | precedence | result type |  description
+---------------------|:---:|:---:|------------------------------------
+ `e in s`            | 4   | `bool` | set membership
+ `e !in s`           | 4   | `bool` | set non-membership
+ `|s|`               | 11  | `nat`  | set cardinality (not for `iset`)
+
+The expression `e !in s` is a syntactic shorthand for `!(e in s)`.
+
+(No white space is permitted between `!` and `in`, making `!in` effectively
+the one example of a mixed-character-class token in Dafny.)
+
+### 5.5.2. Multisets ([grammar](#g-collection-type)) {#sec-multisets}
+
+A _multiset_ is similar to a set, but keeps track of the multiplicity
+of each element, not just its presence or absence.  For any type `T`,
+each value of type `multiset<T>` is a map from `T` values to natural
+numbers denoting each element's multiplicity.  Multisets in Dafny
+are finite, that is, they contain a finite number of each of a finite
+set of elements.  Stated differently, a multiset maps only a finite
+number of elements to non-zero (finite) multiplicities.
+
+Like sets, multiset membership is determined by equality in the type
+`T`, so `multiset<T>` can be used in a non-ghost context only if `T`
+is [equality supporting](#sec-equality-supporting).
+
+A multiset can be formed using a _multiset display_ expression, which
+is a possibly empty, unordered list of expressions enclosed in curly
+braces after the keyword `multiset`.  To illustrate,
+<!-- %no-check -->
+```dafny
+multiset{}   multiset{0, 1, 1, 2, 3, 5}   multiset{4+2, 1+5, a*b}
+```
+are three examples of multiset displays.  There is no multiset
+comprehension expression.
+
+In addition to equality and disequality, multiset types
+support the following relational operations:
+
+
+ operator          | precedence | description
+-------------------|-----------------------------------
+  `<`              | 4 | proper multiset subset
+  `<=`             | 4 | multiset subset
+  `>=`             | 4 | multiset superset
+  `>`              | 4 | proper multiset superset
+
+Like the arithmetic relational operators, these operators are
+chaining.
+
+Multisets support the following binary operators, listed in order of
+increasing binding power:
+
+ operator      | precedence | description
+---------------|:---:|------------------------------------
+ `!!`          | 4 | multiset disjointness
+---------------|------------------------------------
+ `+`           | 6 |multiset sum
+ `-`           | 6 |multiset difference
+---------------|------------------------------------
+ `*`           | 7 | multiset intersection
+
+The associativity rules of `+`, `-`, and `*` are like those of the
+arithmetic operators with the same names. The `+` operator
+adds the multiplicity of corresponding elements, the `-` operator
+subtracts them (but 0 is the minimum multiplicity),
+and the `*` has multiplicity that is the minimum of the
+multiplicity of the operands. There is no operator for multiset
+union, which would compute the maximum of the multiplicities of the operands.
+
+The expression `A !! B`
+says that multisets `A` and `B` have no elements in common, that is,
+it is equivalent to
+<!-- %no-check -->
+```dafny
+A * B == multiset{}
+```
+Like the analogous set operator, `!!` is chaining and means mutual disjointness.
+
+In addition, for any multiset `s` of type `multiset<T>`,
+expression `e` of type `T`, and non-negative integer-based numeric
+`n`, multisets support the following operations:
+
+ expression      | precedence | result type      | description
+-----------------|:---:|:----------------:|------------------------------------------
+ `e in s`        | 4  |  `bool`         | multiset membership
+ `e !in s`       | 4  |  `bool`         | multiset non-membership
+ `|s|`           | 11 |   `nat`          | multiset cardinality
+ `s[e]`          | 11 |  `nat`          | multiplicity of `e` in `s`
+ `s[e := n]`     | 11 | `multiset<T>`    | multiset update (change of multiplicity)
+
+The expression `e in s` returns `true` if and only if `s[e] != 0`.
+The expression `e !in s` is a syntactic shorthand for `!(e in s)`.
+The expression `s[e := n]` denotes a multiset like
+`s`, but where the multiplicity of element `e` is `n`.  Note that
+the multiset update `s[e := 0]` results in a multiset like `s` but
+without any occurrences of `e` (whether or not `s` has occurrences of
+`e` in the first place).  As another example, note that
+`s - multiset{e}` is equivalent to:
+<!-- %no-check -->
+```dafny
+if e in s then s[e := s[e] - 1] else s
+```
+
+### 5.5.3. Sequences ([grammar](#g-collection-type)) {#sec-sequences}
+
+For any type `T`, a value of type `seq<T>` denotes a _sequence_ of `T`
+elements, that is, a mapping from a finite downward-closed set of natural
+numbers (called _indices_) to `T` values.
+
+#### 5.5.3.1. Sequence Displays {#sec-sequence-displays}
+A sequence can be formed using a _sequence display_ expression, which
+is a possibly empty, ordered list of expressions enclosed in square
+brackets.  To illustrate,
+<!-- %no-check -->
+```dafny
+[]        [3, 1, 4, 1, 5, 9, 3]        [4+2, 1+5, a*b]
+```
+are three examples of sequence displays.
+
+  There is also a sequence
+comprehension expression ([Section 9.28](#sec-seq-comprehension)):
+<!-- %no-check -->
+```dafny
+seq(5, i => i*i)
+```
+is equivalent to `[0, 1, 4, 9, 16]`.
+
+#### 5.5.3.2. Sequence Relational Operators
+In addition to equality and disequality, sequence types
+support the following relational operations:
+
+ operator        | precedence | description
+-----------------|------------------------------------
+  <              | 4 | proper prefix
+  <=             | 4 | prefix
+
+Like the arithmetic relational operators, these operators are
+chaining.  Note the absence of `>` and `>=`.
+
+#### 5.5.3.3. Sequence Concatenation
+Sequences support the following binary operator:
+
+ operator      | precedence | description
+---------------|------------------------------------
+ `+`           | 6 | concatenation
+
+Operator `+` is associative, like the arithmetic operator with the
+same name.
+
+#### 5.5.3.4. Other Sequence Expressions {#sec-other-sequence-expressions}
+In addition, for any sequence `s` of type `seq<T>`, expression `e`
+of type `T`, integer-based numeric index `i` satisfying `0 <= i < |s|`, and
+integer-based numeric bounds `lo` and `hi` satisfying
+`0 <= lo <= hi <= |s|`, noting that bounds can equal the length of the sequence,
+sequences support the following operations:
+
+ expression         | precedence | result type | description
+ -------------------|:---:|:---:|----------------------------------------
+ `e in s`           | 4 | `bool` | sequence membership
+ `e !in s`          | 4 | `bool` | sequence non-membership
+ `|s|`              | 11 | `nat` | sequence length
+ `s[i]`             | 11 | `T` | sequence selection
+ `s[i := e]`        | 11 | `seq<T>` | sequence update
+ `s[lo..hi]`        | 11 | `seq<T>`| subsequence
+ `s[lo..]`          | 11 | `seq<T>` | drop
+ `s[..hi]`          | 11 | `seq<T>` | take
+ `s[`_slices_`]`    | 11 | `seq<seq<T>>` | slice
+ `multiset(s)`      | 11 | `multiset<T>`| sequence conversion to a `multiset<T>`
+
+Expression `s[i := e]` returns a sequence like `s`, except that the
+element at index `i` is `e`.  The expression `e in s` says there
+exists an index `i` such that `s[i] == e`.  It is allowed in non-ghost
+contexts only if the element type `T` is
+[equality supporting](#sec-equality-supporting).
+The expression `e !in s` is a syntactic shorthand for `!(e in s)`.
+
+Expression `s[lo..hi]` yields a sequence formed by taking the first
+`hi` elements and then dropping the first `lo` elements.  The
+resulting sequence thus has length `hi - lo`.  Note that `s[0..|s|]`
+equals `s`.  If the upper bound is omitted, it
+defaults to `|s|`, so `s[lo..]` yields the sequence formed by dropping
+the first `lo` elements of `s`.  If the lower bound is omitted, it
+defaults to `0`, so `s[..hi]` yields the sequence formed by taking the
+first `hi` elements of `s`.
+
+In the sequence slice operation, _slices_ is a nonempty list of
+length designators separated and optionally terminated by a colon, and
+there is at least one colon.  Each length designator is a non-negative
+integer-based numeric; the sum of the length designators is no greater than `|s|`.  If there
+are _k_ colons, the operation produces _k + 1_ consecutive subsequences
+from `s`, with the length of each indicated by the corresponding length
+designator, and returns these as a sequence of
+sequences.
+If _slices_ is terminated by a
+colon, then the length of the last slice extends until the end of `s`,
+that is, its length is `|s|` minus the sum of the given length
+designators.  For example, the following equalities hold, for any
+sequence `s` of length at least `10`:
+<!-- %check-verify %options --allow-axioms -->
+```dafny
+method m(s: seq<int>) {
+  var t := [3.14, 2.7, 1.41, 1985.44, 100.0, 37.2][1:0:3];
+  assert |t| == 3 && t[0] == [3.14] && t[1] == [];
+  assert t[2] == [2.7, 1.41, 1985.44];
+  var u := [true, false, false, true][1:1:];
+  assert |u| == 3 && u[0][0] && !u[1][0] && u[2] == [false, true];
+  assume |s| > 10;
+  assert s[10:][0] == s[..10];
+  assert s[10:][1] == s[10..];
+}
+```
+
+The operation `multiset(s)` yields the multiset of elements of
+sequence `s`.  It is allowed in non-ghost contexts only if the element
+type `T` is [equality supporting](#sec-equality-supporting).
+
+#### 5.5.3.5. Strings ([grammar](#g-collection-type)) {#sec-strings}
+
+A special case of a sequence type is `seq<char>`, for which Dafny
+provides a synonym: `string`.  Strings are like other sequences, but
+provide additional syntax for sequence display expressions, namely
+_string literals_.  There are two forms of the syntax for string
+literals:  the _standard form_ and the _verbatim form_.
+
+String literals of the standard form are enclosed in double quotes, as
+in `"Dafny"`.  To include a double quote in such a string literal,
+it is necessary to use an escape sequence.  Escape sequences can also
+be used to include other characters.  The supported escape sequences
+are the same as those for character literals ([Section 5.2.5](#sec-characters)).
+For example, the Dafny expression `"say \"yes\""` represents the
+string `'say "yes"'`.
+The escape sequence for a single quote is redundant, because
+`"\'"` and `"\'"` denote the same
+string---both forms are provided in order to support the same
+escape sequences as do character literals.
+
+String literals of the verbatim form are bracketed by
+`@"` and `"`, as in `@"Dafny"`.  To include
+a double quote in such a string literal, it is necessary to use the
+escape sequence `""`, that is, to write the character
+twice.  In the verbatim form, there are no other escape sequences.
+Even characters like newline can be written inside the string literal
+(hence spanning more than one line in the program text).
+
+For example, the following three expressions denote the same string:
+<!-- %no-check -->
+```dafny
+"C:\\tmp.txt"
+@"C:\tmp.txt"
+['C', ':', '\\', 't', 'm', 'p', '.', 't', 'x', 't']
+```
+
+Since strings are sequences, the relational operators `<`
+and `<=` are defined on them.  Note, however, that these operators
+still denote proper prefix and prefix, respectively, not some kind of
+alphabetic comparison as might be desirable, for example, when
+sorting strings.
+
+### 5.5.4. Finite and Infinite Maps ([grammar](#g-collection-type)) {#sec-maps}
+
+For any types `T` and `U`, a value of type `map<T,U>` denotes a
+_(finite) map_
+from `T` to `U`.  In other words, it is a look-up table indexed by
+`T`.  The _domain_ of the map is a finite set of `T` values that have
+associated `U` values.  Since the keys in the domain are compared
+using equality in the type `T`, type `map<T,U>` can be used in a
+non-ghost context only if `T` is
+[equality supporting](#sec-equality-supporting).
+
+Similarly, for any types `T` and `U`, a value of type `imap<T,U>`
+denotes a _(possibly) infinite map_.  In most regards, `imap<T,U>` is
+like `map<T,U>`, but a map of type `imap<T,U>` is allowed to have an
+infinite domain.
+
+A map can be formed using a _map display_ expression (see [Section 9.30](#sec-map-display-expression)),
+which is a possibly empty, ordered list of _maplets_, each maplet having the
+form `t := u` where `t` is an expression of type `T` and `u` is an
+expression of type `U`, enclosed in square brackets after the keyword
+`map`.  To illustrate,
+<!-- %no-check -->
+```dafny
+map[]
+map[20 := true, 3 := false, 20 := false]
+map[a+b := c+d]
+```
+are three examples of map displays.  By using the keyword `imap`
+instead of `map`, the map produced will be of type `imap<T,U>`
+instead of `map<T,U>`.  Note that an infinite map (`imap`) is allowed
+to have a finite domain, whereas a finite map (`map`) is not allowed
+to have an infinite domain.
+If the same key occurs more than
+once in a map display expression, only the last occurrence appears in the resulting
+map.[^fn-map-display]  There is also a _map comprehension expression_,
+explained in [Section 9.31.8](#sec-map-comprehension-expression).
+
+[^fn-map-display]: This is likely to change in the future to disallow
+    multiple occurrences of the same key.
+
+For any map `fm` of type `map<T,U>`,
+any map `m` of type `map<T,U>` or `imap<T,U>`,
+any expression `t` of type `T`,
+any expression `u` of type `U`, and any `d` in the domain of `m` (that
+is, satisfying `d in m`), maps support the following operations:
+
+ expression     | precedence | result type | description
+ ---------------|:---:|:-----------:|------------------------------------
+ `t in m`       | 4 | `bool`      | map domain membership
+ `t !in m`      | 4 | `bool`      | map domain non-membership
+ `|fm|`         | 11 | `nat`       | map cardinality
+ `m[d]`         | 11 | `U`         | map selection
+ `m[t := u]`    | 11 | `map<T,U>`  | map update
+ `m.Keys`      | 11 | (i)`set<T>`    | the domain of `m`
+ `m.Values`    | 11 | (i)`set<U>`    | the range of `m`
+ `m.Items`     | 11 | (i)`set<(T,U)>`| set of pairs (t,u) in `m`
+
+`|fm|` denotes the number of mappings in `fm`, that is, the
+cardinality of the domain of `fm`.  Note that the cardinality operator
+is not supported for infinite maps.
+Expression `m[d]` returns the `U` value that `m` associates with `d`.
+Expression `m[t := u]` is a map like `m`, except that the
+element at key `t` is `u`.  The expression `t in m` says `t` is in the
+domain of `m` and `t !in m` is a syntactic shorthand for
+`!(t in m)`.[^fn-map-membership]
+
+The expressions `m.Keys`, `m.Values`, and `m.Items` return, as sets,
+the domain, the range, and the 2-tuples holding the key-value
+associations in the map. Note that `m.Values` will have a different
+cardinality than `m.Keys` and `m.Items` if different keys are
+associated with the same value. If `m` is an `imap`, then these
+expressions return `iset` values. If `m` is a map, `m.Values` and `m.Items`
+require the type of the range `U` to support equality.
+
+[^fn-map-membership]: This is likely to change in the future as
+    follows:  The `in` and `!in` operations will no longer be
+    supported on maps, with `x in m` replaced by `x in m.Keys`,
+and similarly for `!in`.
+
+Here is a small example, where a map `cache` of type `map<int,real>`
+is used to cache computed values of Joule-Thomson coefficients for
+some fixed gas at a given temperature:
+<!-- %no-check -->
+```dafny
+if K in cache {  // check if temperature is in domain of cache
+  coeff := cache[K];  // read result in cache
+} else {
+  coeff := ComputeJTCoefficient(K); // do expensive computation
+  cache := cache[K := coeff];  // update the cache
+}
+```
+
+Dafny also overloads the `+` and `-` binary operators for maps.
+The `+` operator merges two maps or imaps of the same type, as if each
+(key,value) pair of the RHS is added in turn to the LHS (i)map.
+In this use, `+` is not commutative; if a key exists in both
+(i)maps, it is the value from the RHS (i)map that is present in the result.
+
+The `-` operator implements a map difference operator. Here the LHS
+is a `map<K,V>` or `imap<K,V>` and the RHS is a `set<K>` (but not an `iset`); the operation removes
+from the LHS all the (key,value) pairs whose key is a member of the RHS set.
+
+To avoid causing circular reasoning chains or providing too much information that might
+complicate Dafny's prover finding proofs, not all properties of maps are known by the prover by default.
+For example, the following does not prove:
+<!-- %check-verify Types.25.expect -->
+```dafny
+method mmm<K(==),V(==)>(m: map<K,V>, k: K, v: V) {
+    var mm := m[k := v];
+    assert v in mm.Values;
+  }
+```
+Rather, one must provide an intermediate step, which is not entirely obvious:
+<!-- %check-verify -->
+```dafny
+method mmm<K(==),V(==)>(m: map<K,V>, k: K, v: V) {
+    var mm := m[k := v];
+    assert k in mm.Keys;
+    assert v in mm.Values;
+  }
+```
+
+### 5.5.5. Iterating over collections
+
+Collections are very commonly used in programming and one frequently
+needs to iterate over the elements of a collection. Dafny does not have
+built-in iterator methods, but the idioms by which to do so are straightforward.
+The subsections below give some introductory examples; more
+detail can be found in this [power user note](http://leino.science/papers/krml275.html).
+
+#### 5.5.5.1. Sequences and arrays
+
+Sequences and arrays are indexable and have a length. So the idiom to
+iterate over the contents is well-known. For an array:
+<!-- %check-resolve -->
+```dafny
+method m(a: array<int>) {
+  var i := 0;
+  var sum := 0;
+  while i < a.Length {
+    sum := sum + a[i];
+    i := i + 1;
+  }
+}
+```
+For a sequence, the only difference is the length operator:
+<!-- %check-resolve -->
+```dafny
+method m(s: seq<int>) {
+  var i := 0;
+  var sum := 0;
+  while i < |s| {
+    sum := sum + s[i];
+    i := i + 1;
+  }
+}
+```
+
+The `forall` statement ([Section 8.21](#sec-forall-statement)) can also be used
+with arrays where parallel assignment is needed:
+<!-- %check-resolve -->
+```dafny
+method m(s: array<int>) {
+  var rev := new int[s.Length];
+  forall i | 0 <= i < s.Length {
+    rev[i] := s[s.Length-i-1];
+  }
+}
+```
+
+See [Section 5.10.2](#sec-array-to-seq) on how to convert an array to a sequence.
+
+#### 5.5.5.2. Sets
+There is no intrinsic order to the elements of a set. Nevertheless, we can
+extract an arbitrary element of a nonempty set, performing an iteration
+as follows:
+<!-- %check-resolve -->
+```dafny
+method m(s: set<int>) {
+  var ss := s;
+  while ss != {}
+    decreases |ss|
+  {
+    var i: int :| i in ss;
+    ss := ss - {i};
+    print i, "\n";
+  }
+}
+```
+
+Because `iset`s may be infinite, Dafny does not permit iteration over an `iset`.
+
+#### 5.5.5.3. Maps
+
+Iterating over the contents of a `map` uses the component sets: `Keys`, `Values`, and `Items`. The iteration loop follows the same patterns as for sets:
+
+<!-- %check-resolve -->
+```dafny
+method m<T(==),U(==)> (m: map<T,U>) {
+  var items := m.Items;
+  while items != {}
+    decreases |items|
+  {
+    var item :| item in items;
+    items := items - { item };
+    print item.0, " ", item.1, "\n";
+  }
+}
+```
+
+There are no mechanisms currently defined in Dafny for iterating over `imap`s.
+
+
+<!--PDF NEWPAGE-->
+## 5.6. Types that stand for other types ([grammar](#g-type-definition)) {#sec-type-definition}
+
+It is sometimes useful to know a type by several names or to treat a
+type abstractly. There are several mechanisms in Dafny to do this:
+
+* ([Section 5.6.1](#sec-synonym-type)) A typical _synonym type_, in which a type name is a synonym for another type
+* ([Section 5.6.2](#sec-abstract-types)) An _abstract type_, in which a new type name is declared as an uninterpreted type
+* ([Section 5.6.3](#sec-subset-types)) A _subset type_, in which a new type name is given to a subset of the values of a given type
+* ([Section 5.7](#sec-newtypes)) A _newtype_, in which a subset type is declared, but with restrictions on converting to and from its base type
+
+### 5.6.1. Type synonyms ([grammar](#g-type-definition)) {#sec-synonym-type}
+
+<!-- %check-resolve -->
+```dafny
+type T = int
+type SS<T> = set<set<T>>
+```
+
+A _type synonym_ declaration:
+<!-- %no-check -->
+```dafny
+type Y<T> = G
+```
+declares `Y<T>` to be a synonym for the type `G`.
+If the `= G` is omitted then the declaration just declares a name as an uninterpreted
+_abstract_ type, as described in [Section 5.6.2](#sec-abstract-types).  Such types may be
+given a definition elsewhere in the Dafny program.
+
+  Here, `T` is a
+nonempty list of type parameters (each of which optionally
+has a [type characteristics suffix](#sec-type-characteristics)), which can be used as free type
+variables in `G`.  If the synonym has no type parameters, the "`<T>`"
+is dropped.  In all cases, a type synonym is just a synonym.  That is,
+there is never a difference, other than possibly in error messages
+produced, between `Y<T>` and `G`.
+
+For example, the names of the following type synonyms may improve the
+readability of a program:
+<!-- %check-resolve -->
+```dafny
+type Replacements<T> = map<T,T>
+type Vertex = int
+```
+
+The new type name itself may have [type characteristics](#sec-type-characteristics) declared, and may need to if there is no definition.
+If there is a definition, the type characteristics are typically inferred from the definition. The syntax is like this:
+<!-- %no-check -->
+```dafny
+type Z(==)<T(0)>
+```
+
+As already described in [Section 5.5.3.5](#sec-strings), `string` is a built-in
+type synonym for `seq<char>`, as if it would have been declared as
+follows:
+<!-- %check-resolve -->
+```dafny
+type string_(==,0,!new) = seq<char>
+```
+If the implicit declaration did not include the type characteristics, they would be inferred in any case.
+
+Note that although a type synonym can be declared and used in place of a type name, 
+that does not affect the names of datatype or class constructors.
+For example, consider
+<!-- %check-resolve Types.22.expect -->
+```dafny
+datatype Pair<T> = Pair(first: T, second: T)
+type IntPair = Pair<int>
+
+const p: IntPair := Pair(1,2) // OK
+const q: IntPair := IntPair(3,4) // Error
+```
+
+In the declaration of `q`, `IntPair` is the name of a type, not the name of a function or datatype constructor.
+
+### 5.6.2. Abstract types ([grammar](#g-type-definition)) {#sec-abstract-types}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+type T
+type Q { function toString(t: T): string }
+```
+
+An abstract type is a special case of a type synonym that is underspecified.  Such
+a type is declared simply by:
+<!-- %check-resolve -->
+```dafny
+type Y<T>
+```
+Its definition can be stated in a
+refining module.  The name `Y` can be immediately followed by
+a type characteristics suffix ([Section 5.3.1](#sec-type-characteristics)).
+Because there is no defining RHS, the type characteristics cannot be inferred and so
+must be stated. If, in some refining module, a definition of the type is given, the
+type characteristics must match those of the new definition.
+
+For example, the declarations
+<!-- %check-resolve -->
+```dafny
+type T
+function F(t: T): T
+```
+can be used to model an uninterpreted function `F` on some
+arbitrary type `T`.  As another example,
+<!-- %check-resolve -->
+```dafny
+type Monad<T>
+```
+can be used abstractly to represent an arbitrary parameterized monad.
+
+Even as an abstract type, the type
+may be given members such as constants, methods or functions.
+For example,
+<!-- %check-resolve -->
+```dafny
+abstract module P {
+  type T {
+    function ToString(): string
+  }
+}
+
+module X refines P {
+  newtype T = i | 0 <= i < 10 {
+    function ToString(): string {  "" }
+  }
+}
+```
+The abstract type `P.T` has a declared member `ToString`, which can be called wherever `P.T` may be used.
+In the refining module `X`, `T` is declared to be a `newtype`, in which `ToString` now has a body.
+
+It would be an error to refine `P.T` as a simple type synonym or subset type in `X`, say `type T = int`, because
+type synonyms may not have members.
+
+### 5.6.3. Subset types ([grammar](#g-type-definition)) {#sec-subset-types}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+type Pos = i: int | i > 0 witness 1
+type PosReal = r | r > 0.0 witness 1.0
+type Empty = n: nat | n < 0 witness *
+type Big = n: nat | n > 1000 ghost witness 10000
+```
+
+A _subset type_ is a restricted use of an existing type, called
+the _base type_ of the subset type.  A subset type is like a
+combined use of the base type and a predicate on the base
+type.
+
+An assignment from a subset type to its base type is always
+allowed.  An assignment in the other direction, from the base type to
+a subset type, is allowed provided the value assigned does indeed
+satisfy the predicate of the subset type. This condition is checked
+by the verifier, not by the type checker. Similarly, assignments from
+one subset type to another (both with the same base type) are also
+permitted, as long as it can be established that the value being assigned
+satisfies the predicate defining the receiving subset type.
+(Note, in contrast, assignments between a newtype and its base type
+are never allowed, even if the value assigned is a value of the target
+type.  For such assignments, an explicit conversion must be used, see
+[Section 9.10](#sec-as-is-expression).)
+
+The declaration of a subset type permits an optional [`witness` clause](#sec-witness), to declare that there is
+a value that satisfies the subset type's predicate; that is, the witness clause establishes that the defined
+type is not empty. The compiler may, but is not obligated to, use this value when auto-initializing a
+newly declared variable of the subset type.
+
+Dafny builds in three families of subset types, as described next.
+
+#### 5.6.3.1. Type `nat`
+
+The built-in type `nat`, which represents the non-negative integers
+(that is, the natural numbers), is a subset type:
+<!-- %no-check -->
+```dafny
+type nat = n: int | 0 <= n
+```
+
+A simple example that
+puts subset type `nat` to good use is the standard Fibonacci
+function:
+<!-- %check-verify -->
+```dafny
+function Fib(n: nat): nat
+{
+  if n < 2 then n else Fib(n-2) + Fib(n-1)
+}
+```
+An equivalent, but clumsy, formulation of this function (modulo the
+wording of any error messages produced at call sites) would be to use
+type `int` and to write the restricting predicate in pre- and
+postconditions:
+<!-- %check-verify -->
+```dafny
+function Fib(n: int): int
+  requires 0 <= n  // the function argument must be non-negative
+  ensures 0 <= Fib(n)  // the function result is non-negative
+{
+  if n < 2 then n else Fib(n - 2) + Fib(n - 1)
+}
+```
+
+#### 5.6.3.2. Non-null types
+
+Every class, trait, and iterator declaration `C` gives rise to two types.
+
+One type has the name `C?` (that is, the name of the class, trait,
+or iterator declaration with a `?` character appended to the end).
+The values of `C?` are the references to `C` objects, and also
+the value `null`.
+In other words, `C?` is the type of _possibly null_ references
+(aka, _nullable_ references) to `C` objects.
+
+The other type has the name `C` (that is, the same name as the
+class, trait, or iterator declaration).
+Its values are the references to `C` objects, and does not contain
+the value `null`.
+In other words, `C` is the type of _non-null_ references to `C`
+objects.
+
+The type `C` is a subset type of `C?`:
+<!-- %no-check -->
+```dafny
+type C = c: C? | c != null
+```
+(It may be natural to think of the type `C?` as the union of
+type `C` and the value `null`, but, technically, Dafny defines
+`C` as a subset type with base type `C?`.)
+
+From being a subset type, we get that `C` is a subtype of `C?`.
+Moreover, if a class or trait `C` extends a trait `B`, then
+type `C` is a subtype of `B` and type `C?` is a subtype of `B?`.
+
+Every possibly-null reference type is a subtype of the
+built-in possibly-null trait type `object?`, and
+every non-null reference type is a subtype of the
+built-in non-null trait type `object`. (And, from the fact
+that `object` is a subset type of `object?`, we also have that
+`object` is a subtype of `object?`.)
+
+Arrays are references and array types also come in these two flavors.
+For example,
+`array?` and `array2?` are possibly-null (1- and 2-dimensional) array types, and
+`array` and `array2` are their respective non-null types.
+
+Note that `?` is not an operator. Instead, it is simply the last
+character of the name of these various possibly-null types.
+
+#### 5.6.3.3. Arrow types: `->`, `-->`, and `~>` {#sec-arrow-subset-types}
+
+For more information about arrow types (function types), see [Section 5.12](#sec-arrow-types).
+This section is a preview to point out the subset-type relationships among the kinds
+of function types.
+
+The built-in type 
+
+- `->` stands for total functions, 
+- `-->` stands for partial functions (that is, functions with possible `requires` clauses),
+and 
+- `~>` stands for all functions. 
+
+More precisely, type constructors
+exist for any arity (`() -> X`, `A -> X`, `(A, B) -> X`, `(A, B, C) -> X`,
+etc.).
+
+For a list of types `TT` and a type `U`, the values of the arrow type `(TT) ~> U`
+are functions from `TT` to `U`. This includes functions that may read the
+heap and functions that are not defined on all inputs. It is not common
+to need this generality (and working with such general functions is
+difficult). Therefore, Dafny defines two subset types that are more common
+(and much easier to work with).
+
+The type `(TT) --> U` denotes the subset of `(TT) ~> U` where the functions
+do not read the (mutable parts of the) heap.
+Values of type `(TT) --> U` are called _partial functions_,
+and the subset type `(TT) --> U` is called the _partial arrow type_.
+(As a mnemonic to help you remember that this is the partial arrow, you may
+think of the little gap between the two hyphens in `-->` as showing a broken
+arrow.)
+
+Intuitively, the built-in partial arrow type is defined as follows (here shown
+for arrows with arity 1):
+<!-- %no-check -->
+```dafny
+type A --> B = f: A ~> B | forall a :: f.reads(a) == {}
+```
+(except that what is shown here left of the `=` is not legal Dafny syntax
+and that the restriction could not be verified as is).
+That is, the partial arrow type is defined as those functions `f`
+whose reads frame is empty for all inputs.
+More precisely, taking variance into account, the partial arrow type
+is defined as
+<!-- %no-check -->
+```dafny
+type -A --> +B = f: A ~> B | forall a :: f.reads(a) == {}
+```
+
+The type `(TT) -> U` is, in turn, a subset type of `(TT) --> U`, adding the
+restriction that the functions must not impose any precondition. That is,
+values of type `(TT) -> U` are _total functions_, and the subset type
+`(TT) -> U` is called the _total arrow type_.
+
+The built-in total arrow type is defined as follows (here shown
+for arrows with arity 1):
+<!-- %no-check -->
+```dafny
+type -A -> +B = f: A --> B | forall a :: f.requires(a)
+```
+That is, the total arrow type is defined as those partial functions `f`
+whose precondition evaluates to `true` for all inputs.
+
+Among these types, the most commonly used are the total arrow types.
+They are also the easiest to work with. Because they are common, they
+have the simplest syntax (`->`).
+
+Note, informally, we tend to speak of all three of these types as arrow types,
+even though, technically, the `~>` types are the arrow types and the
+`-->` and `->` types are subset types thereof. The one place where you may need to
+remember that `-->` and `->` are subset types is in some error messages.
+For example, if you try to assign a partial function to a variable whose
+type is a total arrow type and the verifier is not able to prove that the
+partial function really is total, then you'll get an error saying that the subset-type
+constraint may not be satisfied.
+
+For more information about arrow types, see [Section 5.12](#sec-arrow-types).
+
+#### 5.6.3.4. Witness clauses {#sec-witness}
+
+The declaration of a subset type permits an optional `witness` clause.
+Types in Dafny are generally expected to be non-empty, in part because
+variables of any type are expected to have some value when they are used.
+In many cases, Dafny can determine that a newly declared type has 
+some value. 
+For example, in the absence of a witness clause,
+a numeric type that includes 0 is known by Dafny
+to be non-empty.
+However, Dafny cannot always make this determination.
+If it cannot, a `witness` clause is required. The value given in
+the `witness` clause must be a valid value for the type and assures Dafny
+that the type is non-empty. (The variation `witness *` is described below.)
+
+
+For example, 
+<!-- %check-verify Types.10.expect -->
+```dafny
+type OddInt = x: int | x % 2 == 1
+```
+will give an error message, but
+<!-- %check-verify -->
+```dafny
+type OddInt = x: int | x % 2 == 1 witness 73
+```
+does not. Here is another example:
+<!-- %check-verify -->
+```dafny
+type NonEmptySeq = x: seq<int> | |x| > 0 witness [0]
+```
+
+If the witness is only available in ghost code, you can declare the witness
+as a `ghost witness`. In this case, the Dafny verifier knows that the type
+is non-empty, but it will not be able to auto-initialize a variable of that
+type in compiled code.
+
+There is even room to do the following:
+<!-- %check-verify -->
+```dafny
+type BaseType
+predicate RHS(x: BaseType)
+type MySubset = x: BaseType | RHS(x) ghost witness MySubsetWitness()
+
+function {:axiom} MySubsetWitness(): BaseType
+  ensures RHS(MySubsetWitness())
+```
+Here the type is given a ghost witness: the result of the expression
+`MySubsetWitness()`, which is a call of a (ghost) function.
+Now that function has a postcondition saying that the returned value 
+is indeed a candidate value for the declared type, so the verifier is
+satisfied regarding the non-emptiness of the type. However, the function
+has no body, so there is still no proof that there is indeed such a witness.
+You can either supply a, perhaps complicated, body to generate a viable
+candidate or you can be very sure, without proof, that there is indeed such a value.
+If you are wrong, you have introduced an unsoundness into your program.
+
+In addition though, types are allowed to be empty or possibly empty.
+This is indicated by the clause `witness *`, which tells the verifier not to check for a satisfying witness.
+A declaration like this produces an empty type:
+<!-- %check-verify %save ReallyEmpty.tmp -->
+```dafny
+type ReallyEmpty = x: int | false witness *
+```
+The type can be used in code like
+<!-- %check-verify %use ReallyEmpty.tmp -->
+```dafny
+method M(x: ReallyEmpty) returns (seven: int)
+  ensures seven == 7
+{
+  seven := 10;
+}
+```
+which does verify. But the method can never be called because there is no value that
+can be supplied as the argument. Even this code
+<!-- %check-verify Types.10a.expect %use ReallyEmpty.tmp -->
+```dafny
+method P() returns (seven: int)
+  ensures seven == 7
+{
+  var x: ReallyEmpty;
+  seven := 10;
+}
+```
+does not complain about `x` unless `x` is actually used, in which case it must have a value.
+The postcondition in `P` does not verify, but not because of the empty type.
+
+<!--PDF NEWPAGE-->
+## 5.7. Newtypes ([grammar](#g-type-definition)) {#sec-newtypes}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+newtype I = int
+newtype D = i: int | 0 <= i < 10
+newtype uint8 = i | 0 <= i < 256
+```
+
+A newtype is like a type synonym or subset type except that it declares a wholly new type
+name that is distinct from its base type. It also accepts an optional [`witness` clause](#sec-witness).
+
+A new type can be declared with the _newtype_
+declaration, for example:
+<!-- %no-check -->
+```dafny
+newtype N = x: M | Q
+```
+where `M` is a type and `Q` is a boolean expression that can
+use `x` as a free variable.  If `M` is an integer-based numeric type,
+then so is `N`; if `M` is real-based, then so is `N`.  If the type `M`
+can be inferred from `Q`, the "`: M`" can be omitted.  If `Q` is just
+`true`, then the declaration can be given simply as:
+<!-- %no-check -->
+```dafny
+newtype N = M
+```
+Type `M` is known as the _base type_ of `N`. At present, Dafny only supports
+`int` and `real` as base types of newtypes.
+
+A newtype is a type that supports the same operations as its
+base type.  The newtype is distinct from and incompatible with other
+types; in particular, it is not assignable to its base type
+without an explicit conversion.  An important difference between the
+operations on a newtype and the operations on its base type is that
+the newtype operations are defined only if the result satisfies the
+predicate `Q`, and likewise for the literals of the
+newtype.
+
+For example, suppose `lo` and `hi` are integer-based numeric bounds that
+satisfy `0 <= lo <= hi` and consider the following code fragment:
+<!-- %no-check -->
+```dafny
+var mid := (lo + hi) / 2;
+```
+If `lo` and `hi` have type `int`, then the code fragment is legal; in
+particular, it never overflows, since `int` has no upper bound.  In
+contrast, if `lo` and `hi` are variables of a newtype `int32` declared
+as follows:
+<!-- %check-verify -->
+```dafny
+newtype int32 = x | -0x8000_0000 <= x < 0x8000_0000
+```
+then the code fragment is erroneous, since the result of the addition
+may fail to satisfy the predicate in the definition of `int32`.  The
+code fragment can be rewritten as
+<!-- %no-check -->
+```dafny
+var mid := lo + (hi - lo) / 2;
+```
+in which case it is legal for both `int` and `int32`.
+
+An additional point with respect to arithmetic overflow is that for (signed)
+`int32` values `hi` and `lo` constrained only by `lo <= hi`, the difference `hi - lo`
+can also overflow the bounds of the `int32` type. So you could also write:
+<!-- %no-check -->
+```dafny
+var mid := lo + (hi/2 - lo/2);
+```
+
+Since a newtype is incompatible with its base type and since all
+results of the newtype's operations are members of the newtype, a
+compiler for Dafny is free to specialize the run-time representation
+of the newtype.  For example, by scrutinizing the definition of
+`int32` above, a compiler may decide to store `int32` values using
+signed 32-bit integers in the target hardware.
+
+The incompatibility of a newtype and its basetype is intentional,
+as newtypes are meant to be used as distinct types from the basetype.
+If numeric types are desired that mix more readily with the basetype,
+the subset types described in [Section 5.6.3](#sec-subset-types)
+ may be more appropriate.
+
+Note that the bound variable `x` in `Q` has type `M`, not `N`.
+Consequently, it may not be possible to state `Q` about the `N`
+value.  For example, consider the following type of 8-bit 2's
+complement integers:
+<!-- %check-verify -->
+```dafny
+newtype int8 = x: int | -128 <= x < 128
+```
+and consider a variable `c` of type `int8`.  The expression
+<!-- %no-check -->
+```dafny
+-128 <= c < 128
+```
+is not well-defined, because the comparisons require each operand to
+have type `int8`, which means the literal `128` is checked to be of
+type `int8`, which it is not.  A proper way to write this expression
+is to use a conversion operation, described in [Section 5.7.1](#sec-conversion), on `c` to
+convert it to the base type:
+<!-- %no-check -->
+```dafny
+-128 <= c as int < 128
+```
+
+If possible, Dafny compilers will represent values of the newtype using
+a native type for the sake of efficiency. This action can
+be inhibited or a specific native data type selected by
+using the `{:nativeType}` attribute, as explained in
+[Section 11.1.2](#sec-nativetype).
+
+Furthermore, for the compiler to be able to make an appropriate choice of
+representation, the constants in the defining expression as shown above must be
+known constants at compile-time. They need not be numeric literals; combinations
+of basic operations and symbolic constants are also allowed as described
+in [Section 9.39](#sec-compile-time-constants).
+
+### 5.7.1. Conversion operations {#sec-conversion}
+
+For every type `N`, there is a conversion operation with the
+name `as N`, described more fully in [Section 9.10](#sec-as-is-expression).
+It is a partial function defined when the
+given value, which can be of any type, is a member of the type
+converted to.  When the conversion is from a real-based numeric type
+to an integer-based numeric type, the operation requires that the
+real-based argument have no fractional part.  (To round a real-based
+numeric value down to the nearest integer, use the `.Floor` member,
+see [Section 5.2.2](#sec-numeric-types).)
+
+To illustrate using the example from above, if `lo` and `hi` have type
+`int32`, then the code fragment can legally be written as follows:
+<!-- %no-check -->
+```dafny
+var mid := (lo as int + hi as int) / 2;
+```
+where the type of `mid` is inferred to be `int`.  Since the result
+value of the division is a member of type `int32`, one can introduce
+yet another conversion operation to make the type of `mid` be `int32`:
+<!-- %no-check -->
+```dafny
+var mid := ((lo as int + hi as int) / 2) as int32;
+```
+If the compiler does specialize the run-time representation for
+`int32`, then these statements come at the expense of two,
+respectively three, run-time conversions.
+
+The `as N` conversion operation is grammatically a suffix operation like
+`.`field and array indexing, but binds less tightly than unary operations:
+`- x as int` is `(- x) as int`; `a + b as int` is `a + (b as int)`.
+
+The `as N` conversion can also be used with reference types. For example,
+if `C` is a class, `c` is an expression of type `C`, and `o` is an expression
+of type `object`, then `c as object` and `c as object?` are upcasts
+and `o is C` is a downcast. A downcast requires the LHS expression to
+have the RHS type, as is enforced by the verifier.
+
+For some types (in particular, reference types), there is also a
+corresponding `is` operation ([Section 9.10](#sec-as-is-expression)) that
+tests whether a value is valid for a given type.
+
+<!--PDF NEWPAGE-->
+## 5.8. Class types ([grammar](#g-class-type)) {#sec-class-types}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+trait T {}
+class A {}
+class B extends T {
+  const b: B?
+  var v: int
+  constructor (vv: int) { v := vv; b := null; }
+  function toString(): string { "a B" }
+  method m(i: int) { var x := new B(0); }
+  static method q() {}
+}
+```
+
+Declarations within a class all begin with keywords and do not end with semicolons.
+
+
+
+A _class_ `C` is a reference type declared as follows:
+<!-- %no-check -->
+```dafny
+class C<T> extends J1, ..., Jn
+{
+  _members_
+}
+```
+where the <>-enclosed list of one-or-more type parameters `T` is optional. The text
+"`extends J1, ..., Jn`" is also optional and says that the class extends traits `J1` ... `Jn`.
+The members of a class are _fields_, _constant fields_, _functions_, and
+_methods_.  These are accessed or invoked by dereferencing a reference
+to a `C` instance.
+
+A function or method is invoked on an _instance_
+of `C`, unless the function or method is declared `static`.
+A function or method that is not `static` is called an
+_instance_ function or method.
+
+An instance function or method takes an implicit _receiver_
+parameter, namely, the instance used to access the member.  In the
+specification and body of an instance function or method, the receiver
+parameter can be referred to explicitly by the keyword `this`.
+However, in such places, members of `this` can also be mentioned
+without any qualification.  To illustrate, the qualified `this.f` and
+the unqualified `f` refer to the same field of the same object in the
+following example:
+<!-- %check-resolve -->
+```dafny
+class C {
+  var f: int
+  var x: int
+  method Example() returns (b: bool)
+  {
+    var x: int;
+    b := f == this.f;
+  }
+}
+```
+so the method body always assigns `true` to the out-parameter `b`.
+However, in this example, `x` and `this.x` are different because
+the field `x` is shadowed by the declaration of the local variable `x`.
+There is no semantic difference between qualified and
+unqualified accesses to the same receiver and member.
+
+A `C` instance is created using `new`. There are three forms of `new`,
+depending on whether or not the class declares any _constructors_
+(see [Section 6.3.2](#sec-constructor-methods)):
+
+<!-- %no-check -->
+```dafny
+c := new C;
+c := new C.Init(args);
+c := new C(args);
+```
+
+For a class with no constructors, the first two forms can be used.
+The first form simply allocates a new instance of a `C` object, initializing
+its fields to values of their respective types (and initializing each `const` field
+with a RHS to its specified value). The second form additionally invokes
+an _initialization method_ (here, named `Init`) on the newly allocated object
+and the given arguments. It is therefore a shorthand for
+<!-- %no-check -->
+```dafny
+c := new C;
+c.Init(args);
+```
+An initialization method is an ordinary method that has no out-parameters and
+that modifies no more than `this`.
+
+For a class that declares one or more constructors, the second and third forms
+of `new` can be used. For such a class, the second form invokes the indicated
+constructor (here, named `Init`), which allocates and initializes the object.
+The third form is the same as the second, but invokes the _anonymous constructor_
+of the class (that is, a constructor declared with the empty-string name).
+
+The details of constructors and other class members are described in [Section 6.3.2](#sec-constructor-methods).
+
+<!--PDF NEWPAGE-->
+## 5.9. Trait types ([grammar](#g-trait-type)) {#sec-trait-types}
+
+A _trait_ is an abstract superclass, similar to an "interface" or
+"mixin". A trait can be _extended_ only by another trait or
+by a class (and in the latter case we say that the class _implements_
+the trait). More specifically, algebraic datatypes cannot extend traits.[^fn-traits]
+
+[^fn-traits]: Traits are new to Dafny and are likely to evolve for a while.
+
+The declaration of a trait is much like that of a class:
+<!-- %no-check -->
+```dafny
+trait J
+{
+  _members_
+}
+```
+where _members_ can include fields, constant fields, functions, methods and declarations of nested traits, but
+no constructor methods.  The functions and methods are allowed to be
+declared `static`.
+
+A reference type `C` that extends a trait `J` is assignable to a variable of
+type `J`;
+a value of type `J` is assignable to a variable of a reference type `C` that
+extends `J` only if the verifier can prove that the reference does
+indeed refer to an object of allocated type `C`.
+The members of `J` are available as members
+of `C`.  A member in `J` is not allowed to be redeclared in `C`,
+except if the member is a non-`static` function or method without a
+body in `J`.  By doing so, type `C` can supply a stronger
+specification and a body for the member. There is further discussion on
+this point in [Section 5.9.2](#sec-inheritance).
+
+`new` is not allowed to be used with traits.  Therefore, there is no
+object whose allocated type is a trait.  But there can of course be
+objects of a class `C` that implement a trait `J`, and a reference to
+such a `C` object can be used as a value of type `J`.
+
+### 5.9.1. Type `object` ([grammar](#g-object-type)) {#sec-object-type}
+
+There is a built-in trait `object` that is implicitly extended by all classes and traits.
+It produces two types: the type `object?` that is a supertype of all
+reference types and a subset type `object` that is a supertype of all non-null reference types.
+This includes reference types like arrays and iterators that do not permit
+explicit extending of traits. The purpose of type `object`
+is to enable a uniform treatment of _dynamic frames_. In particular, it
+is useful to keep a ghost field (typically named `Repr` for
+"representation") of type `set<object>`.
+
+It serves no purpose (but does no harm) to explicitly list the trait `object` as
+an extendee in a class or trait declaration.
+
+Traits `object?` and  `object` contain no members.
+
+The dynamic allocation of objects is done using `new C`...,
+ where `C` is the name of a class.
+ The name `C` is not allowed to be a trait,
+ except that it is allowed to be `object`.
+ The construction `new object` allocates a new object (of an unspecified class type).
+ The construction can be used to create unique references, where no other properties of those references are needed.
+(`new object?` makes no sense; always use `new object` instead because the result of
+`new` is always non-null.)
+
+### 5.9.2. Inheritance {#sec-inheritance}
+
+The purpose of traits is to be able to express abstraction: a trait
+encapsulates a set of behaviors; classes and traits that extend it
+_inherit_ those behaviors, perhaps specializing them.
+
+A trait or class may extend multiple other traits.
+The traits syntactically listed in a trait or class's `extends` clause
+are called its _direct parents_; the _transitive parents_ of a trait or class
+are its direct parents, the transitive parents of its direct parents, and
+the `object` trait (if it is not itself `object`).
+These are sets of traits, in that it does not matter if
+there are repetitions of a given trait in a class or trait's direct or
+transitive parents. However, if a trait with type parameters is repeated,
+it must have the same actual type parameters in each instance.
+Furthermore, a trait may not be in its own set of transitive parents; that is,
+the graph of traits connected by the directed _extends_ relationship may not
+have any cycles.
+
+A class or trait inherits (as if they are copied) all the instance members
+of its transitive parents. However, since names may not be overloaded in
+Dafny, different members (that is, members with different type signatures)
+within the set of transitive parents and the class or trait itself must have different names.[^overload]
+This restriction does mean that traits from different sources that
+coincidentally use the same name for different purposes cannot be combined
+by being part of the set of transitive parents for some new trait or class.
+
+A declaration of  member `C.M` in a class or trait _overrides_ any other declarations
+of the same name (and signature) in a transitive parent. `C.M` is then called an
+override; a declaration that
+does not override anything is called an _original declaration_.
+
+Static members of a trait may not be redeclared;
+thus, if there is a body it must be declared in the trait;
+the compiler will require a body, though the verifier will not.
+
+[//]: # Caution - a newline (not a blank line) ends a footnote
+[^overload]: It is possible to conceive of a mechanism for disambiguating conflicting names, but this would add complexity to the language that does not appear to be needed, at least as yet.
+
+Where traits within an extension hierarchy do declare instance members with the same
+name (and thus the same signature), some rules apply. Recall that, for methods,
+every declaration includes a specification; if no specification is given
+explicitly, a default specification applies. Instance method declarations in traits,
+however, need not have a body, as a body can be declared in an override.
+
+For a given non-static method M,
+
+* A trait or class may not redeclare M if it has a transitive parent that declares M and provides a body.
+* A trait may but need not provide a body if all its transitive parents that declare M do not declare a body.
+* A trait or class may not have more than one transitive parent that declares M with a body.
+* A class that has one or more transitive parents that declare M without a body
+and no transitive parent that declares M with a body must itself redeclare M
+with a body if it is compiled. (The verifier alone does not require a body.)
+* Currently (and under debate), the following restriction applies:
+if `M` overrides two (or more) declarations, `P.M` and `Q.M`, then either
+`P.M` must override `Q.M` or `Q.M` must override `P.M`.
+
+The last restriction above is the current implementation. It effectively limits
+inheritance of a method M to a single "chain" of declarations and does not
+permit mixins.
+
+Each of any method declarations explicitly or implicitly
+includes a specification. In simple cases, those syntactically separate
+specifications will be copies of each other (up to renaming to take account
+of differing formal parameter names). However they need not be. The rule is
+that the specifications of M in a given class or trait must be _as strong as_
+M's specifications in a transitive parent.
+Here _as strong as_  means that it
+must be permitted to call the subtype's M in the context of the supertype's M.
+Stated differently, where P and C are a parent trait and a child class or trait,
+respectively, then, under the precondition of `P.M`,
+
+* C.M's `requires` clause must be implied by P.M's `requires` clause
+* C.M's `ensures` clause must imply P.M's `ensures` clause
+* C.M's `reads` set must be a subset of P.M's `reads` set
+* C.M's `modifies` set must be a subset of P.M's `modifies` set
+* C.M's `decreases` expression must be smaller than or equal to P.M's `decreases` expression
+
+Non-static const and field declarations are also inherited from parent traits.
+These may not be redeclared in extending traits and classes.
+However, a trait need not initialize a const field with a value.
+The class that extends a trait that declares such a const field without an
+initializer can initialize the field in a constructor.
+If the declaring trait does give
+an initial value in the declaration, the extending class or trait may not either
+redeclare the field or give it a value in a constructor.
+
+When names are inherited from multiple traits, they must be different.
+If two traits declare a common name (even with the same signature),
+they cannot both be extendees of the same class or trait.
+
+### 5.9.3. Example of traits
+As an example, the following trait represents movable geometric shapes:
+<!-- %check-verify %save Shape.tmp -->
+```dafny
+trait Shape
+{
+  function Width(): real
+    reads this
+    decreases 1
+  method Move(dx: real, dy: real)
+    modifies this
+  method MoveH(dx: real)
+    modifies this
+  {
+    Move(dx, 0.0);
+  }
+}
+```
+Members `Width` and `Move` are _abstract_ (that is, body-less) and can
+be implemented differently by different classes that extend the trait.
+The implementation of method `MoveH` is given in the trait and thus
+is used by all classes that extend `Shape`.  Here are two classes
+that each extend `Shape`:
+<!-- %check-verify %use Shape.tmp %save UnitSquare.tmp -->
+```dafny
+class UnitSquare extends Shape
+{
+  var x: real, y: real
+  function Width(): real 
+    decreases 0
+  {  // note the empty reads clause
+    1.0
+  }
+  method Move(dx: real, dy: real)
+    modifies this
+  {
+    x, y := x + dx, y + dy;
+  }
+}
+
+class LowerRightTriangle extends Shape
+{
+  var xNW: real, yNW: real, xSE: real, ySE: real
+  function Width(): real
+    reads this
+    decreases 0
+  {
+    xSE - xNW
+  }
+  method Move(dx: real, dy: real)
+    modifies this
+  {
+    xNW, yNW, xSE, ySE := xNW + dx, yNW + dy, xSE + dx, ySE + dy;
+  }
+}
+```
+Note that the classes can declare additional members, that they supply
+implementations for the abstract members of the trait,
+that they repeat the member signatures, and that they are responsible
+for providing their own member specifications that both strengthen the
+corresponding specification in the trait and are satisfied by the
+provided body.
+Finally, here is some code that creates two class instances and uses
+them together as shapes:
+<!-- %check-verify %use UnitSquare.tmp -->
+```dafny
+method m() {
+  var myShapes: seq<Shape>;
+  var A := new UnitSquare;
+  myShapes := [A];
+  var tri := new LowerRightTriangle;
+  // myShapes contains two Shape values, of different classes
+  myShapes := myShapes + [tri];
+  // move shape 1 to the right by the width of shape 0
+  myShapes[1].MoveH(myShapes[0].Width());
+}
+```
+
+<!--PDF NEWPAGE-->
+## 5.10. Array types ([grammar](#g-array-type)) {#sec-array-type}
+
+Dafny supports mutable fixed-length _array types_ of any positive
+dimension.  Array types are (heap-based) reference types.
+
+`arrayToken` is a kind of [reserved token](#sec-reserved-words),
+such as `array`, `array?`, `array2`, `array2?`, `array3`, and so on (but not `array1`).
+The type parameter suffix giving the element type can be omitted if the element type can be inferred, though in that case it is likely that the `arrayToken` itself is also
+inferrable and can be omitted.
+
+### 5.10.1. One-dimensional arrays
+
+A one-dimensional array of `n` `T` elements may be initialized by
+any expression that returns a value of the desired type.
+Commonly, [array allocation expressions](#sec-array-allocation) are used.
+Some examples are shown here:
+<!-- %check-verify %options --relax-definite-assignment -->
+```dafny
+type T(0)
+method m(n: nat) {
+  var a := new T[n];
+  var b: array<int> := new int[8];
+  var c: array := new T[9];
+}
+```
+The initial values of the array elements are arbitrary values of type
+`T`. 
+A one-dimensional array value can also be assigned using an ordered list of expressions enclosed in square brackets, as follows:
+<!-- %no-check -->
+```dafny
+a := new T[] [t1, t2, t3, t4];
+```
+The initialization can also use an expression that returns a function of type `nat -> T`:
+<!-- %no-check -->
+```dafny
+a := new int[5](i => i*i);
+```
+In fact, the initializer can simply be a function name for the right type of function:
+<!-- %no-check -->
+```dafny
+a := new int[5](Square);
+```
+
+The length of an array is retrieved using the immutable `Length`
+member.  For example, the array allocated with `a := new T[n];` satisfies:
+<!-- %no-check -->
+```dafny
+a.Length == n
+```
+Once an array is allocated, its length cannot be changed.
+
+For any integer-based numeric `i` in the range `0 <= i < a.Length`,
+the _array selection_ expression `a[i]` retrieves element `i` (that
+is, the element preceded by `i` elements in the array).  The
+element stored at `i` can be changed to a value `t` using the array
+update statement:
+<!-- %no-check -->
+```dafny
+a[i] := t;
+```
+
+Caveat: The type of the array created by `new T[n]` is
+`array<T>`.  A mistake that is simple to make and that can lead to
+befuddlement is to write `array<T>` instead of `T` after `new`.
+For example, consider the following:
+<!-- %check-resolve Types.17.expect -->
+```dafny
+type T(0)
+method m(n: nat) {
+  var a := new array<T>;
+  var b := new array<T>[n];
+  var c := new array<T>(n);  // resolution error
+  var d := new array(n);  // resolution error
+}
+```
+The first statement allocates an array of type `array<T>`, but of
+unknown length.  The second allocates an array of type
+`array<array<T>>` of length `n`, that is, an array that holds `n`
+values of type `array<T>`.  The third statement allocates an
+array of type `array<T>` and then attempts to invoke an anonymous
+constructor on this array, passing argument `n`.  Since `array` has no
+constructors, let alone an anonymous constructor, this statement
+gives rise to an error.  If the type-parameter list is omitted for a
+type that expects type parameters, Dafny will attempt to fill these
+in, so as long as the `array` type parameter can be inferred, it is
+okay to leave off the "`<T>`" in the fourth statement above.  However,
+as with the third statement, `array` has no anonymous constructor, so
+an error message is generated.
+
+### 5.10.2. Converting arrays to sequences {#sec-array-to-seq}
+
+One-dimensional arrays support operations that convert a stretch of
+consecutive elements into a sequence.  For any array `a` of type
+`array<T>`, integer-based numeric bounds `lo` and `hi` satisfying
+`0 <= lo <= hi <= a.Length`, noting that bounds can equal the array's length,
+the following operations each yields a
+`seq<T>`:
+
+ expression          | description
+---------------------|------------------------------------
+ `a[lo..hi]`         | subarray conversion to sequence
+ `a[lo..]`           | drop
+ `a[..hi]`           | take
+ `a[..]`             | array conversion to sequence
+
+The expression `a[lo..hi]` takes the first `hi` elements of the array,
+then drops the first `lo` elements thereof and returns what remains as
+a sequence, with length `hi - lo`.
+The other operations are special instances of the first.  If `lo` is
+omitted, it defaults to `0` and if `hi` is omitted, it defaults to
+`a.Length`.
+In the last operation, both `lo` and `hi` have been omitted, thus
+`a[..]` returns the sequence consisting of all the array elements of
+`a`.
+
+The subarray operations are especially useful in specifications.  For
+example, the loop invariant of a binary search algorithm that uses
+variables `lo` and `hi` to delimit the subarray where the search `key`
+may still be found can be expressed as follows:
+<!-- %no-check -->
+```dafny
+key !in a[..lo] && key !in a[hi..]
+```
+Another use is to say that a certain range of array elements have not
+been changed since the beginning of a method:
+<!-- %no-check -->
+```dafny
+a[lo..hi] == old(a[lo..hi])
+```
+or since the beginning of a loop:
+<!-- %no-check -->
+```dafny
+ghost var prevElements := a[..];
+while // ...
+  invariant a[lo..hi] == prevElements[lo..hi]
+{
+  // ...
+}
+```
+Note that the type of `prevElements` in this example is `seq<T>`, if
+`a` has type `array<T>`.
+
+A final example of the subarray operation lies in expressing that an
+array's elements are a permutation of the array's elements at the
+beginning of a method, as would be done in most sorting algorithms.
+Here, the subarray operation is combined with the sequence-to-multiset
+conversion:
+<!-- %no-check -->
+```dafny
+multiset(a[..]) == multiset(old(a[..]))
+```
+
+### 5.10.3. Multi-dimensional arrays {#sec-multi-dimensional-arrays}
+
+An array of 2 or more dimensions is mostly like a one-dimensional
+array, except that `new` takes more length arguments (one for each
+dimension), and the array selection expression and the array update
+statement take more indices.  For example:
+<!-- %no-check -->
+```dafny
+matrix := new T[m, n];
+matrix[i, j], matrix[x, y] := matrix[x, y], matrix[i, j];
+```
+create a 2-dimensional array whose dimensions have lengths `m` and
+`n`, respectively, and then swaps the elements at `i,j` and `x,y`.
+The type of `matrix` is `array2<T>`, and similarly for
+higher-dimensional arrays (`array3<T>`, `array4<T>`, etc.).  Note,
+however, that there is no type `array0<T>`, and what could have been
+`array1<T>` is actually named just `array<T>`. (Accordingly, `array0` and `array1` are just
+normal identifiers, not type names.)
+
+The `new` operation above requires `m` and `n` to be non-negative
+integer-based numerics.  These lengths can be retrieved using the
+immutable fields `Length0` and `Length1`.  For example, the following
+holds for the array created above:
+<!-- %no-check -->
+```dafny
+matrix.Length0 == m && matrix.Length1 == n
+```
+Higher-dimensional arrays are similar (`Length0`, `Length1`,
+`Length2`, ...).  The array selection expression and array update
+statement require that the indices are in bounds.  For example, the
+swap statement above is [well-formed](#sec-assertion-batches) only if:
+<!-- %no-check -->
+```dafny
+0 <= i < matrix.Length0 && 0 <= j < matrix.Length1 &&
+0 <= x < matrix.Length0 && 0 <= y < matrix.Length1
+```
+
+In contrast to one-dimensional arrays, there is no operation to
+convert stretches of elements from a multi-dimensional array to a
+sequence.
+
+There is however syntax to create a multi-dimensional array value
+using a function: see [Section 9.16](#sec-array-allocation).
+
+
+<!--PDF NEWPAGE-->
+## 5.11. Iterator types ([grammar](#g-iterator-type)) {#sec-iterator-types}
+
+See [Section 7.5](#sec-iterator-specification) for a description of iterator specifications.
+
+An _iterator_ provides a programming abstraction for writing code that
+iteratively returns elements.  These CLU-style iterators are
+_co-routines_ in the sense that they keep track of their own program
+counter and control can be transferred into and out of the iterator
+body.
+
+An iterator is declared as follows:
+<!-- %no-check -->
+```dafny
+iterator Iter<T>(_in-params_) yields (_yield-params_)
+  _specification_
+{
+  _body_
+}
+```
+where `T` is a list of type parameters (as usual, if there are no type
+parameters, "`<T>`" is omitted). This declaration gives rise to a
+reference type with the same name, `Iter<T>`. In the signature,
+in-parameters and yield-parameters are the iterator's analog of a
+method's in-parameters and out-parameters. The difference is that the
+out-parameters of a method are returned to a caller just once, whereas
+the yield-parameters of an iterator are returned each time the iterator
+body performs a `yield`. The body consists of statements, like in a
+method body, but with the availability also of `yield` statements.
+
+From the perspective of an iterator client, the `iterator` declaration
+can be understood as generating a class `Iter<T>` with various
+members, a simplified version of which is described next.
+
+The `Iter<T>` class contains an anonymous constructor whose parameters
+are the iterator's in-parameters:
+<!-- %no-check -->
+```dafny
+predicate Valid()
+constructor (_in-params_)
+  modifies this
+  ensures Valid()
+```
+An iterator is created using `new` and this anonymous constructor.
+For example, an iterator willing to return ten consecutive integers
+from `start` can be declared as follows:
+<!-- %check-verify %save Gen.tmp -->
+```dafny
+iterator Gen(start: int) yields (x: int)
+  yield ensures |xs| <= 10 && x == start + |xs| - 1
+{
+  var i := 0;
+  while i < 10 invariant |xs| == i {
+    x := start + i;
+    yield;
+    i := i + 1;
+  }
+}
+```
+An instance of this iterator is created using
+<!-- %no-check -->
+```dafny
+iter := new Gen(30);
+```
+It is used like this:
+<!-- %check-verify %use Gen.tmp -->
+```dafny
+method Main() {
+  var i := new Gen(30);
+  while true
+    invariant i.Valid() && fresh(i._new)
+    decreases 10 - |i.xs|
+  {
+    var m := i.MoveNext();
+    if (!m) {break; }
+    print i.x;
+  }
+}
+```
+
+The predicate `Valid()` says when the iterator is in a state where one
+can attempt to compute more elements.  It is a postcondition of the
+constructor and occurs in the specification of the `MoveNext` member:
+<!-- %no-check -->
+```dafny
+method MoveNext() returns (more: bool)
+  requires Valid()
+  modifies this
+  ensures more ==> Valid()
+```
+Note that the iterator remains valid as long as `MoveNext` returns
+`true`.  Once `MoveNext` returns `false`, the `MoveNext` method can no
+longer be called.  Note, the client is under no obligation to keep
+calling `MoveNext` until it returns `false`, and the body of the
+iterator is allowed to keep returning elements forever.
+
+The in-parameters of the iterator are stored in immutable fields of
+the iterator class.  To illustrate in terms of the example above, the
+iterator class `Gen` contains the following field:
+<!-- %no-check -->
+```dafny
+const start: int
+```
+The yield-parameters also result in members of the iterator class:
+<!-- %no-check -->
+```dafny
+var x: int
+```
+These fields are set by the `MoveNext` method.  If `MoveNext` returns
+`true`, the latest yield values are available in these fields and the
+client can read them from there.
+
+To aid in writing specifications, the iterator class also contains
+ghost members that keep the history of values returned by
+`MoveNext`.  The names of these ghost fields follow the names of the
+yield-parameters with an "`s`" appended to the name (to suggest
+plural).  Name checking rules make sure these names do not give rise
+to ambiguities.  The iterator class for `Gen` above thus contains:
+<!-- %no-check -->
+```dafny
+ghost var xs: seq<int>
+```
+These history fields are changed automatically by `MoveNext`, but are
+not assignable by user code.
+
+Finally, the iterator class contains some special fields for use in
+specifications.  In particular, the iterator specification is
+recorded in the following immutable fields:
+<!-- %no-check -->
+```dafny
+ghost var _reads: set<object>
+ghost var _modifies: set<object>
+ghost var _decreases0: T0
+ghost var _decreases1: T1
+// ...
+```
+where there is a `_decreases(`_i_`): T(`_i_`)` field for each
+component of the iterator's `decreases`
+clause.[^fn-iterator-field-names]
+In addition, there is a field:
+<!-- %no-check -->
+```dafny
+ghost var _new: set<object>;
+```
+to which any objects allocated on behalf of the iterator body are
+added.  The iterator body is allowed to remove elements from the
+`_new` set, but cannot by assignment to `_new` add any elements.
+
+[^fn-iterator-field-names]:  It would make sense to rename the special
+    fields `_reads` and `_modifies` to have the same names as the
+    corresponding keywords, `reads` and `modifies`, as is done for
+    function values.  Also, the various `_decreases\(_i_\)` fields can be
+    combined into one field named `decreases` whose type is a
+    _n_-tuple. These changes may be incorporated into a future version
+    of Dafny.
+
+Note, in the precondition of the iterator, which is to hold upon
+construction of the iterator, the in-parameters are indeed
+in-parameters, not fields of `this`.
+
+`reads` clauses on iterators have a different meaning than they do on functions and methods.
+Iterators may read any memory they like, but because arbitrary code may be executed
+whenever they `yield` control, they need to declare what memory locations must not be modified
+by other code in order to maintain correctness.
+The contents of an iterator's `reads` clauses become part of the `reads` clause
+of the implicitly created `Valid()` predicate.
+This means if client code modifies any of this state,
+it will not be able to establish the precondition for the iterator's `MoveNext()` method,
+and hence the iterator body will never resume if this state is modified.
+
+It is regrettably tricky to use iterators. The language really
+ought to have a `foreach` statement to make this easier.
+Here is an example showing a definition and use of an iterator.
+
+<!-- %check-verify -->
+```dafny
+iterator Iter<T(0)>(s: set<T>) yields (x: T)
+  yield ensures x in s && x !in xs[..|xs|-1]
+  ensures s == set z | z in xs
+{
+  var r := s;
+  while (r != {})
+    invariant r !! set z | z in xs
+    invariant s == r + set z | z in xs
+  {
+    var y :| y in r;
+    assert y !in xs;
+    r, x := r - {y}, y;
+    assert y !in xs;
+    yield;
+    assert y == xs[|xs|-1]; // a lemma to help prove loop invariant
+  }
+}
+
+method UseIterToCopy<T(0)>(s: set<T>) returns (t: set<T>)
+  ensures s == t
+{
+  t := {};
+  var m := new Iter(s);
+  while (true)
+    invariant m.Valid() && fresh(m._new)
+    invariant t == set z | z in m.xs
+    decreases s - t
+  {
+    var more := m.MoveNext();
+    if (!more) { break; }
+    t := t + {m.x};
+  }
+}
+```
+
+The design of iterators is [under discussion and may change](https://github.com/dafny-lang/dafny/issues/2440).
+
+<!--PDF NEWPAGE-->
+## 5.12. Arrow types ([grammar](#g-arrow-type)) {#sec-arrow-types}
+
+Examples:
+<!-- %no-check -->
+```dafny
+(int) -> int
+(bool,int) ~> bool
+() --> object?
+```
+
+Functions are first-class values in Dafny. The types of function values
+are called _arrow types_ (aka, _function types_).
+Arrow types have the form `(TT) ~> U` where `TT` is a (possibly empty)
+comma-delimited list of types and `U` is a type.
+`TT` is called the function's _domain type(s)_ and `U` is its
+_range type_.  For example, the type of a function
+<!-- %check-resolve -->
+```dafny
+function F(x: int, arr: array<bool>): real
+  requires x < 1000
+  reads arr
+```
+is `(int, array<bool>) ~> real`.
+
+As seen in the example above, the functions that are values of a type
+`(TT) ~> U` can have a precondition (as indicated by the `requires` clause)
+and can read values in the heap (as indicated by the `reads` clause).
+As described in [Section 5.6.3.3](#sec-arrow-subset-types),
+
+- the subset type `(TT) --> U` denotes partial (but heap-independent) functions
+- and the subset type `(TT) -> U` denotes total functions.
+
+A function declared without a `reads` clause is known by the type
+checker to be a partial function. For example, the type of
+<!-- %check-resolve -->
+```dafny
+function F(x: int, b: bool): real
+  requires x < 1000
+```
+is `(int, bool) --> real`.
+Similarly, a function declared with neither a `reads` clause nor a
+`requires` clause is known by the type checker to be a total function.
+For example, the type of
+<!-- %check-resolve -->
+```dafny
+function F(x: int, b: bool): real
+```
+is `(int, bool) -> real`.
+In addition to functions declared by name, Dafny also supports anonymous
+functions by means of _lambda expressions_ (see [Section 9.13](#sec-lambda-expression)).
+
+To simplify the appearance of the basic case where a function's
+domain consists of a list of exactly one non-function, non-tuple type, the parentheses around
+the domain type can be dropped in this case. For example, you may
+write just `T -> U` for a total arrow type.
+This innocent simplification requires additional explanation in the
+case where that one type is a tuple type, since tuple types are also
+written with enclosing parentheses.
+If the function takes a single argument that is a tuple, an additional
+set of parentheses is needed.  For example, the function
+<!-- %check-resolve -->
+```dafny
+function G(pair: (int, bool)): real
+```
+has type `((int, bool)) -> real`.  Note the necessary double
+parentheses.  Similarly, a function that takes no arguments is
+different from one that takes a 0-tuple as an argument.  For instance,
+the functions
+<!-- %check-resolve -->
+```dafny
+function NoArgs(): real
+function Z(unit: ()): real
+```
+have types `() -> real` and `(()) -> real`, respectively.
+
+The function arrows are right associative.
+For example, `A -> B -> C` means `A -> (B -> C)`, whereas
+the other association requires explicit parentheses: `(A -> B) -> C`.
+As another example, `A -> B --> C ~> D` means
+`A -> (B --> (C ~> D))`.
+
+Note that the receiver parameter of a named function is not part of
+the type.  Rather, it is used when looking up the function and can
+then be thought of as being captured into the function definition.
+For example, suppose function `F` above is declared in a class `C` and
+that `c` references an object of type `C`; then, the following is type
+correct:
+<!-- %no-check -->
+```dafny
+var f: (int, bool) -> real := c.F;
+```
+whereas it would have been incorrect to have written something like:
+<!-- %no-check -->
+```dafny
+var f': (C, int, bool) -> real := F;  // not correct
+```
+
+The arrow types themselves do not divide a function's parameters into ghost
+versus non-ghost. Instead, a function used as a first-class value is
+considered to be ghost if either the function or any of its arguments
+is ghost. The following example program illustrates:
+<!-- %check-resolve Types.18.expect -->
+```dafny
+function F(x: int, ghost y: int): int
+{
+  x
+}
+
+method Example() {
+  ghost var f: (int, int) -> int;
+  var g: (int, int) -> int;
+  var h: (int) -> int;
+  var x: int;
+  f := F;
+  x := F(20, 30);
+  g := F; // error: tries to assign ghost to non-ghost
+  h := F; // error: wrong arity (and also tries to assign ghost to non-ghost)
+}
+```
+
+In addition to its type signature, each function value has three properties,
+described next.
+
+Every function implicitly takes the heap as an argument.  No function
+ever depends on the _entire_ heap, however.  A property of the
+function is its declared upper bound on the set of heap locations it
+depends on for a given input.  This lets the verifier figure out that
+certain heap modifications have no effect on the value returned by a
+certain function.  For a function `f: T ~> U` and a value `t` of type
+`T`, the dependency set is denoted `f.reads(t)` and has type
+`set<object>`.
+
+The second property of functions stems from the fact that every function
+is potentially _partial_. In other words, a property of a function is its
+_precondition_. For a function `f: T ~> U`, the precondition of `f` for a
+parameter value `t` of type `T` is denoted `f.requires(t)` and has type
+`bool`.
+
+The third property of a function is more obvious---the function's
+body.  For a function `f: T ~> U`, the value that the function yields
+for an input `t` of type `T` is denoted `f(t)` and has type `U`.
+
+Note that `f.reads` and `f.requires` are themselves functions.
+Without loss of generality, suppose `f` is defined as:
+<!-- %no-check -->
+```dafny 
+function f<T,U>(x: T): U
+  reads R(x)
+  requires P(x)
+{
+  body(x)
+}
+```
+where `P`, `R`, and `body` are declared as:
+<!-- %no-check -->
+```dafny 
+predicate P<T>(x: T)
+function R<T>(x: T): set<object>
+function body<T,U>(x: T): U
+```
+Then, `f.reads` is a function of type `T ~> set<object?>` 
+whose `reads` and `requires` properties are given by the definition:
+<!-- %no-check -->
+```dafny
+function f.reads<T>(x: T): set<object>
+  reads R(x)
+  requires P(x)
+{
+  R(x)
+}
+```
+`f.requires` is a function of type `T ~> bool` whose `reads` and
+`requires` properties are given by the definition:
+<!-- %no-check -->
+```dafny
+predicate f_requires<T>(x: T)
+  requires true
+  reads if P(x) then R(x) else *
+{
+  P(x)
+}
+```
+where `*` is a notation to indicate that any memory location can
+be read, but is not valid Dafny syntax.
+
+In these examples, if `f` instead had type `T --> U` or `T -> U`,
+then the type of `f.reads` is `T -> set<object?>` and the type
+of `f.requires` is `T -> bool`.
+
+Dafny also supports anonymous functions by means of
+_lambda expressions_. See [Section 9.13](#sec-lambda-expression).
+
+<!--PDF NEWPAGE-->
+## 5.13.  Tuple types {#sec-tuple-types}
+````grammar
+TupleType = "(" [ [ "ghost" ] Type { "," [ "ghost" ] Type } ] ")"
+````
+
+Dafny builds in record types that correspond to tuples and gives these
+a convenient special syntax, namely parentheses.  For example, for what
+might have been declared as
+<!-- %check-resolve -->
+```dafny
+datatype Pair<T,U> = Pair(0: T, 1: U)
+```
+Dafny provides the type `(T, U)` and the constructor `(t, u)`, as
+if the datatype's name were "" (i.e., an empty string)
+and its type arguments are given in
+round parentheses, and as if the constructor name were the empty string.
+Note that
+the destructor names are `0` and `1`, which are legal identifier names
+for members.  For an example showing the use of a tuple destructor, here
+is a property that holds of 2-tuples (that is, _pairs_):
+<!-- %check-verify -->
+```dafny
+method m(){
+  assert (5, true).1 == true;
+}
+```
+
+Dafny declares _n_-tuples where _n_ is 0 or 2 or more.  There are no
+1-tuples, since parentheses around a single type or a single value have
+no semantic meaning.  The 0-tuple type, `()`, is often known as the
+_unit type_ and its single value, also written `()`, is known as _unit_.
+
+The `ghost` modifier can be used to mark tuple components as being used for specification only:
+<!-- %check-resolve -->
+```dafny
+const pair: (int, ghost int) := (1, ghost 2)
+```
+
+<!--PDF NEWPAGE-->
+## 5.14. Algebraic Datatypes ([grammar](#g-datatype)) {#sec-datatype}
+
+Dafny offers two kinds of algebraic datatypes, those defined
+inductively (with `datatype`)  and those defined coinductively (with `codatatype`).
+The salient property of
+every datatype is that each value of the type uniquely identifies one
+of the datatype's constructors and each constructor is injective in
+its parameters.
+
+### 5.14.1. Inductive datatypes {#sec-inductive-datatypes}
+
+The values of inductive datatypes can be seen as finite trees where
+the leaves are values of basic types, numeric types, reference types,
+coinductive datatypes, or arrow types.  Indeed, values of
+inductive datatypes can be compared using Dafny's well-founded
+`<` ordering.
+
+An inductive datatype is declared as follows:
+<!-- %no-check -->
+```dafny
+datatype D<T> = _Ctors_
+```
+where _Ctors_ is a nonempty `|`-separated list of
+_(datatype) constructors_ for the datatype.  Each constructor has the
+form:
+```text
+C(_params_)
+```
+where _params_ is a comma-delimited list of types, optionally
+preceded by a name for the parameter and a colon, and optionally
+preceded by the keyword `ghost`.  If a constructor has no parameters,
+the parentheses after the constructor name may be omitted.  If no
+constructor takes a parameter, the type is usually called an
+_enumeration_; for example:
+<!-- %check-resolve -->
+```dafny
+datatype Friends = Agnes | Agatha | Jermaine | Jack
+```
+
+For every constructor `C`, Dafny defines a _discriminator_ `C?`, which
+is a member that returns `true` if and only if the datatype value has
+been constructed using `C`.  For every named parameter `p` of a
+constructor `C`, Dafny defines a _destructor_ `p`, which is a member
+that returns the `p` parameter from the `C` call used to construct the
+datatype value; its use requires that `C?` holds.  For example, for
+the standard `List` type
+<!-- %check-resolve %save List.tmp -->
+```dafny
+datatype List<T> = Nil | Cons(head: T, tail: List<T>)
+```
+the following holds:
+<!-- %check-verify %use List.tmp -->
+```dafny
+method m() {
+  assert Cons(5, Nil).Cons? && Cons(5, Nil).head == 5;
+}
+```
+Note that the expression
+<!-- %no-check -->
+```dafny
+Cons(5, Nil).tail.head
+```
+is not [well-formed](#sec-assertion-batches) by itself, since `Cons(5, Nil).tail` does not necessarily satisfy
+`Cons?`.
+
+A constructor can have the same name as
+the enclosing datatype; this is especially useful for
+single-constructor datatypes, which are often called
+_record types_.  For example, a record type for black-and-white pixels
+might be represented as follows:
+<!-- %check-resolve -->
+```dafny
+datatype Pixel = Pixel(x: int, y: int, on: bool)
+```
+
+To call a constructor, it is usually necessary only to mention the
+name of the constructor, but if this is ambiguous, it is always
+possible to qualify the name of constructor by the name of the
+datatype.  For example, `Cons(5, Nil)` above can be written
+<!-- %no-check -->
+```dafny
+List.Cons(5, List.Nil)
+```
+
+As an alternative to calling a datatype constructor explicitly, a
+datatype value can be constructed as a change in one parameter from a
+given datatype value using the _datatype update_ expression.  For any
+`d` whose type is a datatype that includes a constructor `C` that has
+a parameter (destructor) named `f` of type `T`, and any expression `t`
+of type `T`,
+<!-- %no-check -->
+```dafny
+d.(f := t)
+```
+constructs a value like `d` but whose `f` parameter is `t`.  The
+operation requires that `d` satisfies `C?`.  For example, the
+following equality holds:
+<!-- %check-verify %use List.tmp -->
+```dafny
+method m(){
+  assert Cons(4, Nil).(tail := Cons(3, Nil)) == Cons(4, Cons(3, Nil));
+}
+```
+
+The datatype update expression also accepts multiple field
+names, provided these are distinct. For example, a node of some
+inductive datatype for trees may be updated as follows:
+
+<!-- %no-check -->
+```dafny
+node.(left := L, right := R)
+```
+
+The operator `<` is defined for two operands of the same datataype.
+It means _is properly contained in_. For example, in the code
+<!-- %check-verify Types.19.expect -->
+```dafny
+datatype X = T(t: X) | I(i: int)
+method comp() {
+  var x := T(I(0));
+  var y := I(0);
+  var z := I(1);
+  assert x.t < x;
+  assert y < x;
+  assert !(x < x);
+  assert z < x; // FAILS
+}
+```
+`x` is a datatype value that holds a `T` variant, which holds a `I` variant, which holds an integer `0`.
+The value `x.t` is a portion of the datatype structure denoted by `x`, so `x.t < x` is true.
+Datatype values are immutable mathematical values, so the value of `y` is identical to the value of
+`x.t`, so `y < x` is true also, even though `y` is constructed from the ground up, rather than as
+a portion of `x`. However, `z` is different than either `y` or `x.t` and consequently `z < x` is not provable.
+Furthermore, `<` does not include `==`, so `x < x` is false.
+
+Note that only `<` is defined; not `<=` or `>` or `>=`.
+
+Also, `<` is underspecified. With the above code, one can prove neither `z < x` nor `!(z < x)` and neither
+`z < y` nor `!(z < y)`. In each pair, though, one or the other is true, so `(z < x) || !(z < x)` is provable.
+
+### 5.14.2. Coinductive datatypes {#sec-coinductive-datatypes}
+
+Whereas Dafny insists that there is a way to construct every inductive
+datatype value from the ground up, Dafny also supports
+_coinductive datatypes_, whose constructors are evaluated lazily, and
+hence the language allows infinite structures.
+A coinductive datatype is declared
+using the keyword `codatatype`; other than that, it is declared and
+used like an inductive datatype.
+
+For example,
+<!-- %check-verify -->
+```dafny
+codatatype IList<T> = Nil | Cons(head: T, tail: IList<T>)
+codatatype Stream<T> = More(head: T, tail: Stream<T>)
+codatatype Tree<T> = Node(left: Tree<T>, value: T, right: Tree<T>)
+```
+declare possibly infinite lists (that is, lists that can be either
+finite or infinite), infinite streams (that is, lists that are always
+infinite), and infinite binary trees (that is, trees where every
+branch goes on forever), respectively.
+
+The paper [Co-induction Simply](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/coinduction.pdf), by Leino and
+Moskal[@LEINO:Dafny:Coinduction], explains Dafny's implementation and
+verification of coinductive types. We capture the key features from that
+paper in the following section but the reader is referred to that paper for more
+complete details and to supply bibliographic references that are
+omitted here.
+
+### 5.14.3. Coinduction {#sec-coinduction}
+
+Mathematical induction is a cornerstone of programming and program
+verification. It arises in data definitions (e.g., some algebraic data
+structures can be described using induction), it underlies program
+semantics (e.g., it explains how to reason about finite iteration and
+recursion), and it is used in proofs (e.g., supporting lemmas about
+data structures use inductive proofs). Whereas induction deals with
+finite things (data, behavior, etc.), its dual, coinduction, deals with
+possibly infinite things. Coinduction, too, is important in programming
+and program verification: it arises in data definitions (e.g., lazy
+data structures), semantics (e.g., concurrency), and proofs (e.g.,
+showing refinement in a coinductive big-step semantics). It is thus
+desirable to have good support for both induction and coinduction in a
+system for constructing and reasoning about programs.
+
+Co-datatypes and co-recursive functions make it possible to use lazily
+evaluated data structures (like in Haskell or Agda). _Greatest predicates_,
+defined by greatest fix-points, let programs state properties of such
+data structures (as can also be done in, for example, Coq). For the
+purpose of writing coinductive proofs in the language, we introduce
+greatest and least lemmas. A greatest lemma invokes the coinduction hypothesis
+much like an inductive proof invokes the induction hypothesis. Underneath
+the hood, our coinductive proofs are actually approached via induction:
+greatest and least lemmas provide a syntactic veneer around this approach.
+
+The following example gives a taste of how the coinductive features in
+Dafny come together to give straightforward definitions of infinite
+matters.
+<!-- %check-verify Types.20.expect -->
+```dafny
+// infinite streams
+codatatype IStream<T> = ICons(head: T, tail: IStream<T>)
+
+// pointwise product of streams
+function Mult(a: IStream<int>, b: IStream<int>): IStream<int>
+{ ICons(a.head * b.head, Mult(a.tail, b.tail)) }
+
+// lexicographic order on streams
+greatest predicate Below(a: IStream<int>, b: IStream<int>)
+{ a.head <= b.head &&
+  ((a.head == b.head) ==> Below(a.tail, b.tail))
+}
+
+// a stream is Below its Square
+greatest lemma Theorem_BelowSquare(a: IStream<int>)
+  ensures Below(a, Mult(a, a))
+{ assert a.head <= Mult(a, a).head;
+  if a.head == Mult(a, a).head {
+    Theorem_BelowSquare(a.tail);
+  }
+}
+
+// an incorrect property and a bogus proof attempt
+greatest lemma NotATheorem_SquareBelow(a: IStream<int>)
+  ensures Below(Mult(a, a), a) // ERROR
+{
+  NotATheorem_SquareBelow(a);
+}
+```
+
+The example defines a type `IStream` of infinite streams, with constructor `ICons` and
+destructors `head` and `tail`. Function `Mult` performs pointwise
+multiplication on infinite streams of integers, defined using a
+co-recursive call (which is evaluated lazily). Greatest predicate `Below` is
+defined as a greatest fix-point, which intuitively means that the
+co-predicate will take on the value true if the recursion goes on forever
+without determining a different value. The greatest lemma states the theorem
+`Below(a, Mult(a, a))`. Its body gives the proof, where the recursive
+invocation of the co-lemma corresponds to an invocation of the
+coinduction hypothesis.
+
+The proof of the theorem stated by the first co-lemma lends
+itself to the following intuitive reading: To prove that `a` is below
+`Mult(a, a)`, check that their heads are ordered and, if the heads are
+equal, also prove that the tails are ordered. The second co-lemma states
+a property that does not always hold; the verifier is not fooled by the
+bogus proof attempt and instead reports the property as unproved.
+
+We argue that these definitions in Dafny are simple enough to level the
+playing field between induction (which is familiar) and coinduction
+(which, despite being the dual of induction, is often perceived as eerily
+mysterious). Moreover, the automation provided by our SMT-based verifier
+reduces the tedium in writing coinductive proofs. For example, it
+verifies `Theorem_BelowSquare` from the program text given above---no
+additional lemmas or tactics are needed. In fact, as a consequence of the
+automatic-induction heuristic in Dafny, the verifier will
+automatically verify `Theorem_BelowSquare` even given an empty body.
+
+Just like there are restrictions on when an _inductive hypothesis_ can be
+invoked, there are restrictions on how a _coinductive_ hypothesis can be
+_used_. These are, of course, taken into consideration by Dafny's verifier.
+For example, as illustrated by the second greatest lemma above, invoking the
+coinductive hypothesis in an attempt to obtain the entire proof goal is
+futile. (We explain how this works in [the section about greatest lemmas](#sec-colemmas)) Our initial experience
+with coinduction in Dafny shows it to provide an intuitive, low-overhead
+user experience that compares favorably to even the best of today’s
+interactive proof assistants for coinduction. In addition, the
+coinductive features and verification support in Dafny have other
+potential benefits. The features are a stepping stone for verifying
+functional lazy programs with Dafny. Coinductive features have also
+shown to be useful in defining language semantics, as needed to verify
+the correctness of a compiler, so this opens the possibility that
+such verifications can benefit from SMT automation.
+
+#### 5.14.3.1. Well-Founded Function/Method Definitions
+The Dafny programming language supports functions and methods. A _function_
+in Dafny is a mathematical function (i.e., it is well-defined,
+deterministic, and pure), whereas a _method_ is a body of statements that
+can mutate the state of the program. A function is defined by its given
+body, which is an expression. To ensure that function definitions
+are mathematically consistent, Dafny insists that recursive calls be well-founded,
+enforced as follows: Dafny computes the call graph of functions. The strongly connected
+components within it are _clusters_ of mutually recursive definitions; the clusters are arranged in
+a DAG. This stratifies the functions so that a call from one cluster in the DAG to a
+lower cluster is allowed arbitrarily. For an intra-cluster call, Dafny prescribes a proof
+obligation that is taken through the program verifier’s reasoning engine. Semantically,
+each function activation is labeled by a _rank_—a lexicographic tuple determined
+by evaluating the function’s `decreases` clause upon invocation of the function. The
+proof obligation for an intra-cluster call is thus that the rank of the callee is strictly less
+(in a language-defined well-founded relation) than the rank of the caller. Because
+these well-founded checks correspond to proving termination of executable code, we
+will often refer to them as “termination checks”. The same process applies to methods.
+
+Lemmas in Dafny are commonly introduced by declaring a method, stating
+the property of the lemma in the _postcondition_ (keyword `ensures`) of
+the method, perhaps restricting the domain of the lemma by also giving a
+_precondition_ (keyword `requires`), and using the lemma by invoking
+the method. Lemmas are stated, used, and proved as methods, but
+since they have no use at run time, such lemma methods are typically
+declared as _ghost_, meaning that they are not compiled into code. The
+keyword `lemma` introduces such a method. Control flow statements
+correspond to proof techniques—case splits are introduced with if
+statements, recursion and loops are used for induction, and method calls
+for structuring the proof. Additionally, the statement:
+<!-- %no-check -->
+```dafny
+forall x | P(x) { Lemma(x); }
+```
+is used to invoke `Lemma(x)` on all `x` for which `P(x)` holds. If
+`Lemma(x)` ensures `Q(x)`, then the forall statement establishes
+<!-- %no-check -->
+```dafny
+forall x :: P(x) ==> Q(x).
+```
+
+#### 5.14.3.2. Defining Coinductive Datatypes
+Each value of an inductive datatype is finite, in the sense that it can
+be constructed by a finite number of calls to datatype constructors. In
+contrast, values of a coinductive datatype, or co-datatype for short,
+can be infinite. For example, a co-datatype can be used to represent
+infinite trees.
+
+Syntactically, the declaration of a co-datatype in Dafny looks like that
+of a datatype, giving prominence to the constructors (following Coq). The
+following example defines a co-datatype Stream of possibly
+infinite lists.
+
+<!-- %check-verify %save Stream.tmp -->
+```dafny
+codatatype Stream<T> = SNil | SCons(head: T, tail: Stream)
+function Up(n: int): Stream<int> { SCons(n, Up(n+1)) }
+function FivesUp(n: int): Stream<int>
+  decreases 4 - (n - 1) % 5
+{
+  if (n % 5 == 0) then
+    SCons(n, FivesUp(n+1))
+  else
+    FivesUp(n+1)
+}
+```
+
+`Stream` is a coinductive datatype whose values are possibly infinite
+lists. Function `Up` returns a stream consisting of all integers upwards
+of `n` and `FivesUp` returns a stream consisting of all multiples of 5
+upwards of `n` . The self-call in `Up` and the first self-call in `FivesUp`
+sit in productive positions and are therefore classified as co-recursive
+calls, exempt from termination checks. The second self-call in `FivesUp` is
+not in a productive position and is therefore subject to termination
+checking; in particular, each recursive call must decrease the rank
+defined by the `decreases` clause.
+
+Analogous to the common finite list datatype, `Stream` declares two
+constructors, `SNil` and `SCons`. Values can be destructed using match
+expressions and statements. In addition, like for inductive datatypes,
+each constructor `C` automatically gives rise to a discriminator `C?` and
+each parameter of a constructor can be named in order to introduce a
+corresponding destructor. For example, if `xs` is the stream
+`SCons(x, ys)`, then `xs.SCons?` and `xs.head == x` hold. In contrast
+to datatype declarations, there is no grounding check for
+co-datatypes—since a codatatype admits infinite values, the type is
+nevertheless inhabited.
+
+#### 5.14.3.3. Creating Values of Co-datatypes
+To define values of co-datatypes, one could imagine a “co-function”
+language feature: the body of a “co-function” could include possibly
+never-ending self-calls that are interpreted by a greatest fix-point
+semantics (akin to a **CoFixpoint** in Coq). Dafny uses a different design:
+it offers only functions (not “co-functions”), but it classifies each
+intra-cluster call as either _recursive_ or _co-recursive_. Recursive calls
+are subject to termination checks. Co-recursive calls may be
+never-ending, which is what is needed to define infinite values of a
+co-datatype. For example, function `Up(n)` in the preceding example is defined as the
+stream of numbers from `n` upward: it returns a stream that starts with `n`
+and continues as the co-recursive call `Up(n + 1)`.
+
+To ensure that co-recursive calls give rise to mathematically consistent definitions,
+they must occur only in productive positions. This says that it must be possible to determine
+each successive piece of a co-datatype value after a finite amount of work. This
+condition is satisfied if every co-recursive call is syntactically guarded by a constructor
+of a co-datatype, which is the criterion Dafny uses to classify intra-cluster calls as being
+either co-recursive or recursive. Calls that are classified as co-recursive are exempt from
+termination checks.
+
+A consequence of the productivity checks and termination checks is that, even in the
+absence of talking about least or greatest fix-points of self-calling functions, all functions
+in Dafny are deterministic. Since there cannot be multiple fix-points,
+the language allows one function to be involved in both recursive and co-recursive calls,
+as we illustrate by the function `FivesUp`.
+
+#### 5.14.3.4. Co-Equality {#sec-co-equality}
+Equality between two values of a co-datatype is a built-in co-predicate.
+It has the usual equality syntax `s == t`, and the corresponding prefix
+equality is written `s ==#[k] t`. And similarly for `s != t`
+and `s !=#[k] t`.
+
+#### 5.14.3.5. Greatest predicates {#sec-copredicates}
+
+Determining properties of co-datatype values may require an infinite
+number of observations. To that end, Dafny provides _greatest predicates_
+which are function declarations that use the `greatest predicate` keyword phrase.
+Self-calls to a greatest predicate need not terminate. Instead, the value
+defined is the greatest fix-point of the given recurrence equations.
+Continuing the preceding example, the following code defines a
+greatest predicate that holds for exactly those streams whose payload consists
+solely of positive integers. The greatest predicate definition implicitly also
+gives rise to a corresponding prefix predicate, `Pos#`. The syntax for
+calling a prefix predicate sets apart the argument that specifies the
+prefix length, as shown in the last line; for this figure, we took the
+liberty of making up a coordinating syntax for the signature of the
+automatically generated prefix predicate (which is not part of
+Dafny syntax).
+
+<!-- %check-resolve %use Stream.tmp %save Pos.tmp -->
+```dafny
+greatest predicate Pos[nat](s: Stream<int>)
+{
+  match s
+  case SNil => true
+  case SCons(x, rest) => x > 0 && Pos(rest)
+}
+```
+The following code is automatically generated by the Dafny compiler:
+<!-- %no-check -->
+```dafny
+predicate Pos#[_k: nat](s: Stream<int>)
+  decreases _k
+{ if _k == 0 then true else
+  match s
+  case SNil => true
+  case SCons(x, rest) => x > 0 && Pos#[_k-1](rest)
+}
+```
+
+Some restrictions apply. To guarantee that the greatest fix-point always
+exists, the (implicit functor defining the) greatest predicate must be
+monotonic. This is enforced by a syntactic restriction on the form of the
+body of greatest predicates: after conversion to negation normal form (i.e.,
+pushing negations down to the atoms), intra-cluster calls of
+greatest predicates must appear only in _positive_ positions—that is, they must
+appear as atoms and must not be negated. Additionally, to guarantee
+soundness later on, we require that they appear in _continous_
+positions—that is, in negation normal form, when they appear under
+existential quantification, the quantification needs to be limited to a
+finite range[^fn-copredicate-restriction]. Since the evaluation of a greatest predicate might not
+terminate, greatest predicates are always ghost. There is also a restriction on
+the call graph that a cluster containing a greatest predicate must contain only
+greatest predicates, no other kinds of functions.
+
+[^fn-copredicate-restriction]: To be specific, Dafny has two forms of 
+extreme predicates and lemmas, one in which `_k` has type `nat` and one in 
+which it has type `ORDINAL` (the default). The continuous restriction 
+applies only when `_k` is `nat`. Also, higher-order function support in Dafny is
+    rather modest and typical reasoning patterns do not involve them, so this
+    restriction is not as limiting as it would have been in, e.g., Coq.
+
+A **greatest predicate** declaration of `P` defines not just a greatest predicate, but
+also a corresponding _prefix predicate_ `P#`. A prefix predicate is a
+finite unrolling of a co-predicate. The prefix predicate is constructed
+from the co-predicate by
+
+* adding a parameter `_k` of type `nat` to denote the prefix length,
+
+* adding the clause `decreases _k;` to the prefix predicate (the
+  greatest predicate itself is not allowed to have a decreases clause),
+
+* replacing in the body of the greatest predicate every intra-cluster
+  call `Q(args)` to a greatest predicate by a call `Q#[_k - 1](args)`
+  to the corresponding prefix predicate, and then
+
+* prepending the body with `if _k == 0 then true else`.
+
+For example, for greatest predicate `Pos`, the definition of the prefix
+predicate `Pos#` is as suggested above. Syntactically, the prefix-length
+argument passed to a prefix predicate to indicate how many times to
+unroll the definition is written in square brackets, as in `Pos#[k](s)`.
+In the Dafny grammar this is called a ``HashCall``. The definition of
+`Pos#` is available only at clusters strictly higher than that of `Pos`;
+that is, `Pos` and `Pos#` must not be in the same cluster. In other
+words, the definition of `Pos` cannot depend on `Pos#`.
+
+#### 5.14.3.6. Coinductive Proofs
+
+From what we have said so far, a program can make use of properties of
+co-datatypes. For example, a method that declares `Pos(s)` as a
+precondition can rely on the stream `s` containing only positive integers.
+In this section, we consider how such properties are established in the
+first place.
+
+##### 5.14.3.6.1. Properties of Prefix Predicates
+
+Among other possible strategies for establishing coinductive properties
+we take the time-honored approach of reducing coinduction to
+induction. More precisely, Dafny passes to the SMT solver an
+assumption `D(P)` for every greatest predicate `P`, where:
+
+<!-- %no-check -->
+```dafny
+D(P) = forall x • P(x) <==> forall k • P#[k](x)
+```
+
+In other words, a greatest predicate is true iff its corresponding prefix
+predicate is true for all finite unrollings.
+
+In Sec. 4 of the paper [Co-induction Simply] a soundness theorem of such
+assumptions is given, provided the greatest predicates meet the continous
+restrictions. An example proof of `Pos(Up(n))` for every `n > 0` is
+shown here:
+
+<!-- %check-verify %use Pos.tmp -->
+```dafny
+lemma UpPosLemma(n: int)
+  requires n > 0
+  ensures Pos(Up(n))
+{
+  forall k | 0 <= k { UpPosLemmaK(k, n); }
+}
+
+lemma UpPosLemmaK(k: nat, n: int)
+  requires n > 0
+  ensures Pos#[k](Up(n))
+  decreases k
+{
+  if k != 0 {
+    // this establishes Pos#[k-1](Up(n).tail)
+    UpPosLemmaK(k-1, n+1);
+  }
+}
+```
+
+The lemma `UpPosLemma` proves `Pos(Up(n))` for every `n > 0`. We first
+show `Pos#[k](Up(n ))`, for `n > 0` and an arbitrary `k`, and then use
+the forall statement to show `forall k • Pos#[k](Up(n))`. Finally, the axiom
+`D(Pos)` is used (automatically) to establish the greatest predicate.
+
+
+##### 5.14.3.6.2. Greatest lemmas {#sec-colemmas}
+
+As we just showed, with help of the `D` axiom we can now prove a
+greatest predicate by inductively proving that the corresponding prefix
+predicate holds for all prefix lengths `k`. In this section, we introduce
+_greatest lemma_ declarations, which bring about two benefits. The first benefit
+is that greatest lemmas are syntactic sugar and reduce the tedium of having to
+write explicit quantifications over `k`. The second benefit is that, in
+simple cases, the bodies of greatest lemmas can be understood as coinductive
+proofs directly. As an example consider the following greatest lemma.
+
+<!-- %no-check -->
+```dafny
+greatest lemma UpPosLemma(n: int)
+  requires n > 0
+  ensures Pos(Up(n))
+{
+  UpPosLemma(n+1);
+}
+```
+This greatest lemma can be understood as follows: `UpPosLemma` invokes itself
+co-recursively to obtain the proof for `Pos(Up(n).tail)` (since `Up(n).tail`
+equals `Up(n+1)`). The proof glue needed to then conclude `Pos(Up(n))` is
+provided automatically, thanks to the power of the SMT-based verifier.
+
+##### 5.14.3.6.3. Prefix Lemmas {#sec-prefix-lemmas}
+
+To understand why the above `UpPosLemma` greatest lemma code is a sound proof,
+let us now describe the details of the desugaring of greatest lemmas. In
+analogy to how a **greatest predicate** declaration defines both a greatest predicate and
+a prefix predicate, a **greatest lemma** declaration defines both a greatest lemma and
+_prefix lemma_. In the call graph, the cluster containing a greatest lemma must
+contain only greatest lemmas and prefix lemmas, no other methods or function.
+By decree, a greatest lemma and its corresponding prefix lemma are always
+placed in the same cluster. Both greatest lemmas and prefix lemmas are always
+ghost code.
+
+The prefix lemma is constructed from the greatest lemma by
+
+* adding a parameter `_k` of type `nat` to denote the prefix length,
+
+* replacing in the greatest lemma’s postcondition the positive continuous
+  occurrences of greatest predicates by corresponding prefix predicates,
+  passing in `_k` as the prefix-length argument,
+
+* prepending `_k` to the (typically implicit) **decreases** clause of the greatest lemma,
+
+* replacing in the body of the greatest lemma every intra-cluster call
+  `M(args)` to a greatest lemma by a call `M#[_k - 1](args)` to the
+  corresponding prefix lemma, and then
+
+* making the body’s execution conditional on `_k != 0`.
+
+Note that this rewriting removes all co-recursive calls of greatest lemmas,
+replacing them with recursive calls to prefix lemmas. These recursive
+calls are, as usual, checked to be terminating. We allow the pre-declared
+identifier `_k` to appear in the original body of the
+greatest lemma.[^fn-co-predicate-co-lemma-diffs]
+
+[^fn-co-predicate-co-lemma-diffs]: Note, two places where co-predicates
+    and co-lemmas are not analogous are (a) co-predicates must not make
+    recursive calls to their prefix predicates and (b) co-predicates cannot
+    mention `_k`.
+
+We can now think of the body of the greatest lemma as being replaced by a
+**forall** call, for every _k_ , to the prefix lemma. By construction,
+this new body will establish the greatest lemma’s declared postcondition (on
+account of the `D` axiom, and remembering that only the positive
+continuous occurrences of greatest predicates in the greatest lemma’s postcondition
+are rewritten), so there is no reason for the program verifier to check
+it.
+
+The actual desugaring of our greatest lemma `UpPosLemma` is in fact the
+previous code for the `UpPosLemma` lemma except that `UpPosLemmaK` is
+named `UpPosLemma#` and modulo a minor syntactic difference in how the
+`k` argument is passed.
+
+In the recursive call of the prefix lemma, there is a proof obligation
+that the prefixlength argument `_k - 1` is a natural number.
+Conveniently, this follows from the fact that the body has been wrapped
+in an `if _k != 0` statement. This also means that the postcondition must
+hold trivially when `_k == 0`, or else a postcondition violation will be
+reported. This is an appropriate design for our desugaring, because
+greatest lemmas are expected to be used to establish greatest predicates, whose
+corresponding prefix predicates hold trivially when `_k = 0`. (To prove
+other predicates, use an ordinary lemma, not a greatest lemma.)
+
+It is interesting to compare the intuitive understanding of the
+coinductive proof in using a greatest lemma with the inductive proof in using
+a lemma. Whereas the inductive proof is performing proofs for deeper
+and deeper equalities, the greatest lemma can be understood as producing the
+infinite proof on demand.
+
+#### 5.14.3.7. Abstemious and voracious functions {#sec-abstemious}
+
+Some functions on codatatypes are _abstemious_, meaning that they do not
+need to unfold a datatype instance very far (perhaps just one destructor call) 
+to prove a relevant property. Knowing this is the case can aid the proofs of
+properties about the function. The attribute `{:abstemious}` can be applied to
+a function definition to indicate this.
+
+_TODO: Say more about the effect of this attribute and when it should be applied
+(and likely, correct the paragraph above)._
+
+
+# 6. Member declarations {#sec-member-declaration}
+
+Members are the various kinds of methods, the various kinds of functions, mutable fields,
+and constant fields. These are usually associated with classes, but they also may be
+declared (with limitations) in traits, newtypes and datatypes (but not in subset types or type synonyms).
+
+## 6.1. Field Declarations ([grammar](#g-field-declaration)) {#sec-field-declaration}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+class C {
+  var c: int  // no initialization
+  ghost var 123: bv10  // name may be a sequence of digits
+  var d: nat, e: real  // type is required
+}
+```
+A field declaration is not permitted in a value type nor as a member of a module
+(despite there being an implicit unnamed class).
+
+The field name is either an
+identifier (that is not allowed to start with a leading underscore) or
+some digits. Digits are used if you want to number your fields, e.g. "0",
+"1", etc. The digits do not denote numbers but sequences of digits,
+so 0, 00, 0_0 are all different.
+
+A field x of some type T is declared as:
+<!-- %no-check -->
+```dafny
+var x: T
+```
+
+A field declaration declares one or more fields of the enclosing class.
+Each field is a named part of the state of an object of that class. A
+field declaration is similar to but distinct from a variable declaration
+statement. Unlike for local variables and bound variables, the type is
+required and will not be inferred.
+
+Unlike method and function declarations, a field declaration
+is not permitted as a member of a module, even though there is an implicit class.
+Fields can be declared in either an explicit
+class or a trait. A class that inherits from multiple traits will
+have all the fields declared in any of its parent traits.
+
+Fields that are declared as `ghost` can only be used in specifications,
+not in code that will be compiled into executable code.
+
+Fields may not be declared static.
+
+## 6.2. Constant Field Declarations ([grammar](#g-const-declaration)) {#sec-constant-field-declaration}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+const c: int
+ghost const d := 5
+class A {
+  const e: bool
+  static const f: int
+}
+```
+A `const` declaration declares a name bound to a value,
+which value is fixed after initialization.
+
+The declaration must either have a type or an initializing expression (or both).
+If the type is omitted, it is inferred from the initializing expression.
+
+* A const declaration may include the `ghost`, `static`, and `opaque` modifiers, but no
+others.
+* A const declaration may appear within a module or within any declaration
+that may contain members (class, trait, datatype, newtype).
+* If it is in a module, it is implicitly `static`, and may not also be declared
+`static`.
+* If the declaration has an initializing expression that is a ghost
+expression, then the ghost-ness of the declaration is inferred; the `ghost`
+modifier may be omitted.
+* If the declaration includes the `opaque` modifier, then uses of the declared
+variable know its name and type but not its value. The value can be made known for
+reasoning purposes by using the [reveal statement](#sec-reveal-statement).
+* The initialization expression may refer to other constant fields that are in scope and declared either
+before or after this declaration, but circular references are not allowed.
+
+## 6.3. Method Declarations ([grammar](#g-method-declaration)) {#sec-method-declaration}
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+method m(i: int) requires i > 0 {}
+method p() returns (r: int) { r := 0; }
+method q() returns (r: int, s: int, t: nat) ensures r < s < t { r := 0; s := 1; t := 2; }
+ghost method g() {}
+class A {
+  method f() {}
+  constructor Init() {}
+  static method g<T>(t: T) {}
+}
+lemma L(p: bool) ensures p || !p {}
+twostate lemma TL(p: bool) ensures p || !p {}
+least lemma LL[nat](p: bool) ensures p || !p {}
+greatest lemma GL(p: bool) ensures p || !p {}
+abstract module M { method m(i: int) }
+module N refines M { method m ... {} }
+```
+
+Method declarations include a variety of related types of methods:
+- method
+- constructor
+- lemma
+- twostate lemma
+- least lemma
+- greatest lemma
+
+A method signature specifies the method generic parameters,
+input parameters and return parameters.
+The formal parameters are not allowed to have `ghost` specified
+if `ghost` was already specified for the method.
+Within the body of a method, formal (input) parameters are immutable, that is, 
+they may not be assigned to, though their array elements or fields may be
+assigned, if otherwise permitted.
+The out-parameters are mutable and must be assigned in the body of the method.
+
+An ``ellipsis`` is used when a method or function is being redeclared
+in a module that refines another module. (cf. [Section 10](#sec-module-refinement))
+In that case the signature is
+copied from the module that is being refined. This works because
+Dafny does not support method or function overloading, so the
+name of the class method uniquely identifies it without the
+signature.
+
+See [Section 7.2](#sec-method-specification) for a description of the method specification.
+
+Here is an example of a method declaration.
+
+<!-- %no-check -->
+```dafny
+method {:att1}{:att2} M<T1, T2>(a: A, b: B, c: C)
+                                        returns (x: X, y: Y, z: Z)
+  requires Pre
+  modifies Frame
+  ensures Post
+  decreases Rank
+{
+  Body
+}
+```
+
+where `:att1` and `:att2` are attributes of the method,
+`T1` and `T2` are type parameters of the method (if generic),
+`a, b, c` are the method’s in-parameters, `x, y, z` are the
+method’s out-parameters, `Pre` is a boolean expression denoting the
+method’s precondition, `Frame` denotes a set of objects whose fields may
+be updated by the method, `Post` is a boolean expression denoting the
+method’s postcondition, `Rank` is the method’s variant function, and
+`Body` is a list of statements that implements the method. `Frame` can be a list
+of expressions, each of which is a set of objects or a single object, the
+latter standing for the singleton set consisting of that one object. The
+method’s frame is the union of these sets, plus the set of objects
+allocated by the method body. For example, if `c` and `d` are parameters
+of a class type `C`, then
+
+<!-- %no-check -->
+```dafny
+modifies {c, d}
+modifies {c} + {d}
+modifies c, {d}
+modifies c, d
+```
+
+all mean the same thing.
+
+If the method is an _extreme lemma_ ( a `least` or `greatest` lemma), then the 
+method signature may also state the type of the _k_ parameter as either `nat` or `ORDINAL`.
+These are described
+in [Section 12.5.3](#sec-friendliness) and subsequent sections.
+
+### 6.3.1. Ordinary methods
+
+A method can be declared as ghost by preceding the declaration with the
+keyword `ghost` and as static by preceding the declaration with the keyword `static`.
+The default is non-static (i.e., instance) for methods declared in a type and non-ghost.
+An instance method has an implicit receiver parameter, `this`.
+A static method M in a class C can be invoked by `C.M(…)`.
+
+An ordinary method is declared with the `method` keyword;
+[the section about constructors](#sec-constructor-methods) explains methods that instead use the
+`constructor` keyword; [the section about lemmas](#sec-lemmas) discusses methods that are
+declared with the `lemma` keyword. Methods declared with the
+`least lemma` or `greatest lemma` keyword phrases
+are discussed later in the context of extreme
+predicates (see [the section about greatest lemmas](#sec-colemmas)).
+
+A method without a body is _abstract_. A method is allowed to be
+abstract under the following circumstances:
+
+* It contains an `{:axiom}` attribute
+* It contains an `{:extern}` attribute (in this case, to be runnable, the method must have a body in non-Dafny compiled code in the target language.)
+* It is a declaration in an abstract module.
+Note that when there is no body, Dafny assumes that the *ensures*
+clauses are true without proof.
+
+### 6.3.2. Constructors {#sec-constructor-methods}
+To write structured object-oriented programs, one often relies on
+objects being constructed only in certain ways.  For this purpose, Dafny
+provides _constructor (method)s_.
+A constructor is declared with the keyword
+`constructor` instead of `method`; constructors are permitted only in classes.
+A constructor is allowed to be declared as `ghost`, in which case it
+can only be used in ghost contexts.
+
+A constructor can only be called at the time an object is allocated (see
+object-creation examples below). Moreover, when a class contains a
+constructor, every call to `new` for a class must be accompanied
+by a call to one of its constructors. A class may
+declare no constructors or one or more constructors.
+
+In general, a constructor is responsible for initializating the 
+instance fields of its class. However, any field that is given an
+initializer in its declaration may not be reassigned in the body
+of the constructor.
+
+#### 6.3.2.1. Classes with no explicit constructors
+
+For a class that declares no constructors, an instance of the class is
+created with
+<!-- %no-check -->
+```dafny
+c := new C;
+```
+This allocates an object and initializes its fields to values of their
+respective types (and initializes each `const` field with a RHS to its specified
+value). The RHS of a `const` field may depend on other `const` or `var` fields,
+but circular dependencies are not allowed.
+
+This simple form of `new` is allowed only if the class declares no constructors,
+which is not possible to determine in every scope.
+It is easy to determine whether or not a class declares any constructors if the
+class is declared in the same module that performs the `new`. If the class is
+declared in a different module and that module exports a constructor, then it is
+also clear that the class has a constructor (and thus this simple form of `new`
+cannot be used). (Note that an export set that `reveals` a class `C` also exports
+the anonymous constructor of `C`, if any.)
+But if the module that declares `C` does not export any constructors
+for `C`, then callers outside the module do not know whether or not `C` has a
+constructor. Therefore, this simple form of `new` is allowed only for classes that
+are declared in the same module as the use of `new`.
+
+The simple `new C` is allowed in ghost contexts. Also, unlike the forms of `new`
+that call a constructor or initialization method, it can be used in a simultaneous
+assignment; for example
+<!-- %no-check -->
+```dafny
+c, d, e := new C, new C, 15;
+```
+is legal.
+
+As a shorthand for writing
+<!-- %no-check -->
+```dafny
+c := new C;
+c.Init(args);
+```
+where `Init` is an initialization method (see the top of [the section about class types](#sec-class-types)),
+one can write
+<!-- %no-check -->
+```dafny
+c := new C.Init(args);
+```
+but it is more typical in such a case to declare a constructor for the class.
+
+(The syntactic support for initialization methods is provided for historical
+reasons. It may be deprecated in some future version of Dafny. In most cases,
+a constructor is to be preferred.)
+
+#### 6.3.2.2. Classes with one or more constructors
+
+Like other class members, constructors have names. And like other members,
+their names must be distinct, even if their signatures are different.
+Being able to name constructors promotes names like `InitFromList` or
+`InitFromSet` (or just `FromList` and `FromSet`).
+Unlike other members, one constructor is allowed to be _anonymous_;
+in other words, an _anonymous constructor_ is a constructor whose name is
+essentially the empty string.  For example:
+<!-- %check-resolve -->
+```dafny
+class Item {
+  constructor I(xy: int) // ...
+  constructor (x: int, y: int)
+  // ...
+}
+```
+The named constructor is invoked as
+<!-- %no-check -->
+```dafny
+  i := new Item.I(42);
+```
+The anonymous constructor is invoked as
+<!-- %no-check -->
+```dafny
+  m := new Item(45, 29);
+```
+dropping the "`.`".
+
+#### 6.3.2.3. Two-phase constructors
+
+The body of a constructor contains two sections,
+an initialization phase and a post-initialization phase, separated by a `new;` statement.
+If there is no `new;` statement, the entire body is the initialization phase.
+The initialization phase is intended to initialize field variables
+that were not given values in their declaration; it may not reassign
+to fields that do have initializers in their declarations.
+In this phase, uses of the object reference `this` are restricted;
+a program may use `this`
+
+ - as the receiver on the LHS,
+ - as the entire RHS of an assignment to a field of `this`,
+ - and as a member of a set on the RHS that is being assigned to a field of `this`.
+
+A `const` field with a RHS is not allowed to be assigned anywhere else.
+A `const` field without a RHS may be assigned only in constructors, and more precisely
+only in the initialization phase of constructors. During this phase, a `const` field
+may be assigned more than once; whatever value the `const` field has at the end of the
+initialization phase is the value it will have forever thereafter.
+
+For a constructor declared as `ghost`, the initialization phase is allowed to assign
+both ghost and non-ghost fields. For such an object, values of non-ghost fields at
+the end of the initialization phase are in effect no longer changeable.
+
+There are no restrictions on expressions or statements in the post-initialization phase.
+
+### 6.3.3. Lemmas {#sec-lemmas}
+Sometimes there are steps of logic required to prove a program correct,
+but they are too complex for Dafny to discover and use on its own. When
+this happens, we can often give Dafny assistance by providing a lemma.
+This is done by declaring a method with the `lemma` keyword.
+Lemmas are implicitly ghost methods and the `ghost` keyword cannot
+be applied to them.
+
+Syntactically, lemmas can be placed where ghost methods can be placed, but they serve 
+a significantly different function. First of all, a lemma is forbidden to have 
+`modifies` clause: it may not change anything about even the ghost state; ghost methods
+may have `modifies` clauses and may change ghost (but not non-ghost) state. 
+Furthermore, a lemma is not allowed to allocate any new objects.
+And a lemma may be used in the program text in places where ghost methods may not,
+such as within expressions (cf. [Section 21.1](sec-top-level-expression)).
+
+Lemmas may, but typically do not, have out-parameters.
+
+In summary, a lemma states a logical fact, summarizing an inference that the verifier
+cannot do on its own. Explicitly "calling" a lemma in the program text tells the verifier
+to use that fact at that location with the actual arguments substituted for the 
+formal parameters. The lemma is proved separately for all cases of its formal parameters
+that satisfy the preconditions of the lemma. 
+
+For an example, see the `FibProperty` lemma in
+[Section 12.5.2](#sec-proofs-in-dafny).
+
+See [the Dafny Lemmas tutorial](../OnlineTutorial/Lemmas)
+for more examples and hints for using lemmas.
+
+### 6.3.4. Two-state lemmas and functions {#sec-two-state}
+
+The heap is an implicit parameter to every function, though a function is only allowed
+to read those parts of the mutable heap that it admits to in its `reads` clause.
+Sometimes, it is useful for a function to take two heap parameters, for example, so
+the function can return the difference between the value of a field in the two heaps.
+Such a _two-state function_ is declared by `twostate function` (or `twostate predicate`,
+which is the same as a `twostate function` that returns a `bool`). A two-state function
+is always ghost. It is appropriate to think of these two implicit heap parameters as
+representing a "current" heap and an "old" heap.
+
+For example, the predicate
+<!-- %check-verify %save Increasing.tmp -->
+```dafny
+class Cell { var data: int  constructor(i: int) { data := i; } }
+twostate predicate Increasing(c: Cell)
+  reads c
+{
+  old(c.data) <= c.data
+}
+```
+returns `true` if the value of `c.data` has not been reduced from the old state to the
+current. Dereferences in the current heap are written as usual (e.g., `c.data`) and
+must, as usual, be accounted for in the function's `reads` clause. Dereferences in the
+old heap are enclosed by `old` (e.g., `old(c.data)`), just like when one dereferences
+a  method's initial heap. The function is allowed to read anything in the old heap;
+the `reads` clause only declares dependencies on locations in the current heap.
+Consequently, the frame axiom for a two-state function is sensitive to any change
+in the old-heap parameter; in other words, the frame axiom says nothing about two
+invocations of the two-state function with different old-heap parameters.
+
+At a call site, the two-state function's current-heap parameter is always passed in
+as the caller's current heap. The two-state function's old-heap parameter is by
+default passed in as the caller's old heap (that is, the initial heap if the caller
+is a method and the old heap if the caller is a two-state function). While there is
+never a choice in which heap gets passed as the current heap, the caller can use
+any preceding heap as the argument to the two-state function's old-heap parameter.
+This is done by labeling a state in the caller and passing in the label, just like
+this is done with the built-in `old` function.
+
+For example, the following assertions all hold:
+<!-- %check-verify %use Increasing.tmp -->
+```dafny
+method Caller(c: Cell)
+  modifies c
+{
+  c.data := c.data + 10;
+  label L:
+  assert Increasing(c);
+  c.data := c.data - 2;
+  assert Increasing(c);
+  assert !Increasing@L(c);
+}
+```
+The first call to `Increasing` uses `Caller`'s initial state as the old-heap parameter,
+and so does the second call. The third call instead uses as the old-heap parameter
+the heap at label `L`, which is why the third call returns `false`.
+As shown in the example, an explicitly given old-heap parameter is given after
+an `@`-sign (which follows the name of the function and any explicitly given type
+parameters) and before the open parenthesis (after which the ordinary parameters are
+given).
+
+A two-state function is allowed to be called only from a two-state context, which
+means a method, a two-state lemma (see below), or another two-state function.
+Just like a label used with an `old` expression, any label used in a call to a
+two-state function must denote a program point that _dominates_ the call. This means
+that any control leading to the call must necessarily have passed through the labeled
+program point.
+
+Any parameter (including the receiver parameter, if any) passed to a two-state function
+must have been allocated already in the old state. For example, the second call to
+`Diff` in method `M` is illegal, since `d` was not allocated on entry to `M`:
+<!-- %check-verify Types.11.expect %use Increasing.tmp -->
+```dafny
+twostate function Diff(c: Cell, d: Cell): int
+  reads d
+{
+  d.data - old(c.data)
+}
+
+method M(c: Cell) {
+  var d := new Cell(10);
+  label L:
+  ghost var x := Diff@L(c, d);
+  ghost var y := Diff(c, d); // error: d is not allocated in old state
+}
+```
+
+A two-state function may declare that it only assumes a parameter to be allocated
+in the current heap. This is done by preceding the parameter with the `new` modifier,
+as illustrated in the following example, where the first call to `DiffAgain` is legal:
+<!-- %check-verify Types.12.expect %use Increasing.tmp -->
+```dafny
+twostate function DiffAgain(c: Cell, new d: Cell): int
+  reads d
+{
+  d.data - old(c.data)
+}
+
+method P(c: Cell) {
+  var d := new Cell(10);
+  ghost var x := DiffAgain(c, d);
+  ghost var y := DiffAgain(d, c); // error: d is not allocated in old state
+}
+```
+
+A _two-state lemma_ works in an analogous way. It is a lemma with both a current-heap
+parameter and an old-heap parameter, it can use `old` expressions in its
+specification (including in the precondition) and body, its parameters may
+use the `new` modifier, and the old-heap parameter is by default passed in as
+the caller's old heap, which can be changed by using an `@`-parameter.
+
+Here is an example of something useful that can be done with a two-state lemma:
+<!-- %check-verify %use Increasing.tmp -->
+```dafny
+function SeqSum(s: seq<Cell>): int
+  reads s
+{
+  if s == [] then 0 else s[0].data + SeqSum(s[1..])
+}
+
+twostate lemma IncSumDiff(s: seq<Cell>)
+  requires forall c :: c in s ==> Increasing(c)
+  ensures old(SeqSum(s)) <= SeqSum(s)
+{
+  if s == [] {
+  } else {
+    calc {
+      old(SeqSum(s));
+    ==  // def. SeqSum
+      old(s[0].data + SeqSum(s[1..]));
+    ==  // distribute old
+      old(s[0].data) + old(SeqSum(s[1..]));
+    <=  { assert Increasing(s[0]); }
+      s[0].data + old(SeqSum(s[1..]));
+    <=  { IncSumDiff(s[1..]); }
+      s[0].data + SeqSum(s[1..]);
+    ==  // def. SeqSum
+      SeqSum(s);
+    }
+  }
+}
+```
+
+A two-state function can be used as a first-class function value, where the receiver
+(if any), type parameters (if any), and old-heap parameter are determined at the
+time the first-class value is mentioned. While the receiver and type parameters can
+be explicitly instantiated in such a use (for example, `p.F<int>` for a two-state
+instance function `F` that takes one type parameter), there is currently no syntactic
+support for giving the old-heap parameter explicitly. A caller can work
+around this restriction by using (fancy-word alert!) eta-expansion, meaning
+wrapping a lambda expression around the call, as in `x => p.F<int>@L(x)`.
+The following example illustrates using such an eta-expansion:
+<!-- %check-verify -->
+```dafny
+class P {
+  twostate function F<X>(x: X): X
+}
+
+method EtaExample(p: P) returns (ghost f: int -> int) {
+  label L:
+  f := x => p.F<int>@L(x);
+}
+```
+
+## 6.4. Function Declarations ([grammar](#g-function-declaration)) {#sec-function-declaration}
+
+### 6.4.1. Functions
+
+Examples:
+<!-- %check-resolve -->
+```dafny
+function f(i: int): real { i as real }
+function g(): (int, int) { (2,3) }
+function h(i: int, k: int): int requires i >= 0 { if i == 0 then 0 else 1 }
+```
+
+Functions may be declared as ghost. If so, all the formal parameters and
+return values are ghost; if it is not a ghost function, then 
+individual parameters may be declared ghost as desired.
+
+See [Section 7.3](#sec-function-specification) for a description of the function specification.
+A Dafny function is a pure mathematical function. It is allowed to
+read memory that was specified in its `reads` expression but is not
+allowed to have any side effects.
+
+Here is an example function declaration:
+<!-- %no-check -->
+```dafny
+function {:att1}{:att2} F<T1, T2>(a: A, b: B, c: C): T
+  requires Pre
+  reads Frame
+  ensures Post
+  decreases Rank
+{
+  Body
+}
+```
+
+where `:att1` and `:att2` are attributes of the function, if any, `T1`
+and `T2` are type parameters of the function (if generic), `a, b, c` are
+the function’s parameters, `T` is the type of the function’s result,
+`Pre` is a boolean expression denoting the function’s precondition,
+`Frame` denotes a set of objects whose fields the function body may
+depend on, `Post` is a boolean expression denoting the function’s
+postcondition, `Rank` is the function’s variant function, and `Body` is
+an expression that defines the function's return value. The precondition
+allows a function to be partial, that is, the precondition says when the
+function is defined (and Dafny will verify that every use of the function
+meets the precondition).
+
+The postcondition is usually not needed, since
+the body of the function gives the full definition. However, the
+postcondition can be a convenient place to declare properties of the
+function that may require an inductive proof to establish, such as when
+the function is recursive. For example:
+
+<!-- %check-verify -->
+```dafny
+function Factorial(n: int): int
+  requires 0 <= n
+  ensures 1 <= Factorial(n)
+{
+  if n == 0 then 1 else Factorial(n-1) * n
+}
+```
+
+says that the result of Factorial is always positive, which Dafny
+verifies inductively from the function body.
+
+Within a postcondition, the result of the function is designated by
+a call of the function, such as `Factorial(n)` in the example above.
+Alternatively, a name for the function result can be given in the signature,
+as in the following rewrite of the example above.
+
+<!-- %check-verify -->
+```dafny
+function Factorial(n: int): (f: int)
+  requires 0 <= n
+  ensures 1 <= f
+{
+  if n == 0 then 1 else Factorial(n-1) * n
+}
+```
+
+Pre v4.0, a function is `ghost` by default, and cannot be called from non-ghost
+code. To make it non-ghost, replace the keyword `function` with the two
+keywords "`function method`". From v4.0 on, a function is non-ghost by
+default. To make it ghost, replace the keyword `function` with the two keywords "`ghost function`".
+(See the [--function-syntax option](#sec-function-syntax) for a description 
+of the migration path for this change in behavior.}
+
+Like methods, functions can be either _instance_ (which they are by default when declared within a type) or
+_static_ (when the function declaration contains the keyword `static` or is declared in a module).
+An instance function, but not a static function, has an implicit receiver parameter, `this`.  
+A static function `F` in a class `C` can be invoked
+by `C.F(…)`. This provides a convenient way to declare a number of helper
+functions in a separate class.
+
+As for methods, a ``...`` is used when declaring
+a function in a module refinement (cf. [Section 10](#sec-module-refinement)).
+ For example, if module `M0` declares
+function `F`, a module `M1` can be declared to refine `M0` and
+`M1` can then refine `F`. The refinement function, `M1.F` can have
+a ``...`` which means to copy the signature from
+`M0.F`. A refinement function can furnish a body for a function
+(if `M0.F` does not provide one). It can also add `ensures`
+clauses.
+
+If a function definition does not have a body, the program that contains it may still be verified.
+The function itself has nothing to verify.
+However, any calls of a body-less function are treated as unverified assumptions by the caller,
+asserting the preconditions and assuming the postconditions.
+Because body-less functions are unverified assumptions, Dafny will not compile them and will complain if called by [`dafny translate`, `dafny build` or even `dafny run`](#command-line)
+
+### 6.4.2. Predicates
+A function that returns a `bool` result is called a _predicate_. As an
+alternative syntax, a predicate can be declared by replacing the `function`
+keyword with the `predicate` keyword and possibly omitting a declaration of the
+return type (if it is not named).
+
+### 6.4.3. Function-by-method {#sec-function-by-method}
+
+A function with a `by method` clause declares a _function-by-method_.
+A function-by-method gives a way to implement a
+(deterministic, side-effect free) function by a method (whose body may be
+nondeterministic and may allocate objects that it modifies). This can
+be useful if the best implementation uses nondeterminism (for example,
+because it uses `:|` in a nondeterministic way) in a way that does not
+affect the result, or if the implementation temporarily makes use of some
+mutable data structures, or if the implementation is done with a loop.
+For example, here is the standard definition of the Fibonacci function
+but with an efficient implementation that uses a loop:
+
+<!-- %check-verify -->
+```dafny
+function Fib(n: nat): nat {
+  if n < 2 then n else Fib(n - 2) + Fib(n - 1)
+} by method {
+  var x, y := 0, 1;
+  for i := 0 to n
+    invariant x == Fib(i) && y == Fib(i + 1)
+  {
+    x, y := y, x + y;
+  }
+  return x;
+}
+```
+
+The `by method` clause is allowed only for non-ghost `function` or `predicate`
+declarations (without `twostate`, `least`, and `greatest`, but
+possibly with `static`); it inherits the in-parameters, attributes, and `requires` and `decreases`
+clauses of the function. The method also gets one out-parameter, corresponding
+to the function's result value (and the name of it, if present). Finally,
+the method gets an empty `modifies` clause and a postcondition
+`ensures r == F(args)`, where `r` is the name of the out-parameter and
+`F(args)` is the function with its arguments. In other words, the method
+body must compute and return exactly what the function says, and must
+do so without modifying any previously existing heap state.
+
+The function body of a function-by-method is allowed to be ghost, but the
+method body must be compilable. In non-ghost contexts, the compiler turns a
+call of the function-by-method into a call that leads to the method body.
+
+Note, the method body of a function-by-method may contain `print` statements.
+This means that the run-time evaluation of an expression may have print effects.
+If `--track-print-effects` is enabled, this use of print in a function context
+will be disallowed.
+
+### 6.4.4. Function Hiding {#sec-opaque}
+A function is said to be _revealed_ at a location if the
+body of the function is visible for verification at that point, otherwise it is considered _hidden_.
+
+Functions are revealed by default, but can be hidden using the `hide` statement, which takes either a specific function or a wildcard, to hide all functions. Hiding a function can speed up verification of a proof if the body of that function is not needed for the proof. See the [hide statement](#hide-statement) for more information.
+
+Although mostly made obsolete by the hide statement, a function can also be hidden using the `opaque` keyword, or using the option `default-function-opacity`. Here are the rules regarding those:
+
+Inside the module where the function is declared:
+  - If `--default-function-opacity` is set to `transparent` (default), then:
+     - if there is no `opaque` modifier, the function is transparent.
+     - if there is an `opaque` modifier, then the function is opaque. If the function is mentioned in a `reveal` statement, then
+     its body is available starting at that `reveal` statement.
+
+  - If `--default-function-opacity` is set to `opaque`, then:
+    - if there is no [`{:transparent}` attribute](#sec-transparent), the function is opaque. If the function is mentioned in a `reveal` statement, then the body of the function is available starting at that `reveal` statement.
+    - if there is a [`{:transparent}` attribute](#sec-transparent), then the function is transparent.
+
+  - If `--default-function-opacity` is set to `autoRevealDependencies`, then:
+    - if there is no [`{:transparent}` attribute](#sec-transparent), the function is opaque. However, the body of the function is available inside any callable that depends on this function via an implicitly inserted `reveal` statement, unless the callable has the [`{autoRevealDependencies k}` attribute](#sec-autorevealdependencies) for some natural number `k` which is too low.
+    - if there is a [`{:transparent}` attribute](#sec-transparent), then the function is transparent.
+
+Outside the module where the function is declared, the function is
+  visible only if it was listed in the export set by which the contents
+  of its module was imported. In that case, if the function was exported
+  with `reveals`, the rules are the same within the importing module as when the function is used inside
+  its declaring module. If the function is exported only with `provides` it is
+  always hidden and is not permitted to be used in a reveal statement.
+
+More information about the Boogie implementation of opaquenes is [here](https://github.com/dafny-lang/dafny/blob/master/docs/Compilation/Boogie.md).
+
+### 6.4.5. Extreme (Least or Greatest) Predicates and Lemmas
+See [Section 12.5.3](#sec-friendliness) for descriptions
+of extreme predicates and lemmas.
+
+### 6.4.6. `older` parameters in predicates {#sec-older-parameters}
+
+A parameter of any predicate (more precisely, of any
+boolean-returning, non-extreme function) can be marked as
+`older`. This specifies that the truth of the predicate implies that
+the allocatedness of the parameter follows from the allocatedness of
+the non-`older` parameters.
+
+To understand what this means and why this attribute is useful,
+consider the following example, which specifies reachability between
+nodes in a directed graph. A `Node` is declared to have any number of
+children:
+
+<!-- %check-verify %save Node.tmp -->
+```dafny
+class Node {
+  var children: seq<Node>
+}
+```
+
+There are several ways one could specify reachability between
+nodes. One way (which is used in `Test/dafny1/SchorrWaite.dfy` in the
+Dafny test suite) is to define a type `Path`, representing lists of
+`Node`s, and to define a predicate that checks if a given list of
+`Node`s is indeed a path between two given nodes:
+
+<!-- %check-verify %use Node.tmp %save ReachableVia.tmp -->
+```dafny
+datatype Path = Empty | Extend(Path, Node)
+
+predicate ReachableVia(source: Node, p: Path, sink: Node, S: set<Node>)
+  reads S
+  decreases p
+{
+  match p
+  case Empty =>
+    source == sink
+  case Extend(prefix, n) =>
+    n in S && sink in n.children && ReachableVia(source, prefix, n, S)
+}
+```
+
+In a nutshell, the definition of `ReachableVia` says
+
+* An empty path lets `source` reach `sink` just when
+  `source` and `sink` are the same node.
+* A path `Extend(prefix, n)` lets `source` reach `sink` just when
+  the path `prefix` lets `source` reach `n` and `sink` is one of
+  the children nodes of `n`.
+
+To be admissible by Dafny, the recursive predicate must be shown to
+terminate. Termination is assured by the specification `decreases p`,
+since every such datatype value has a finite structure and every
+recursive call passes in a path that is structurally included in the
+previous. Predicate `ReachableVia` must also declare (an upper bound
+on) which heap objects it depends on. For this purpose, the
+predicate takes an additional parameter `S`, which is used to limit
+the set of intermediate nodes in the path. More precisely, predicate
+`ReachableVia(source, p, sink, S)` returns `true` if and only if `p`
+is a list of nodes in `S` and `source` can reach `sink` via `p`.
+
+Using predicate `ReachableVia`, we can now define reachability in `S`:
+
+<!-- %check-resolve Types.13.expect %use ReachableVia.tmp -->
+```dafny
+predicate Reachable(source: Node, sink: Node, S: set<Node>)
+  reads S
+{
+  exists p :: ReachableVia(source, p, sink, S)
+}
+```
+
+This looks like a good definition of reachability, but Dafny won't
+admit it. The reason is twofold:
+
+* Quantifiers and comprehensions are allowed to range only over
+  allocated state. Ater all, Dafny is a type-safe language where every
+  object reference is _valid_ (that is, a pointer to allocated storage
+  of the right type)---it should not be possible, not even through a
+  bound variable in a quantifier or comprehension, for a program to
+  obtain an object reference that isn't valid.
+
+* This property is ensured by disallowing _open-ended_ quantifiers.
+  More precisely, the object references that a quantifier may range
+  over must be shown to be confined to object references that were
+  allocated before some of the non-`older` parameters passed to the
+  predicate. Quantifiers that are not open-ended are called
+  _close-ended_. Note that close-ended refers only to the object
+  references that the quantification or comprehension ranges over---it
+  does not say anything about values of other types, like integers.
+
+Often, it is easy to show that a quantifier is close-ended. In fact,
+if the type of a bound variable does not contain any object
+references, then the quantifier is trivially close-ended. For example,
+
+<!-- %no-check -->
+```dafny
+forall x: int :: x <= Square(x)
+```
+
+is trivially close-ended.
+
+Another innocent-looking quantifier occurs in the following example:
+
+<!-- %check-resolve Types.14.expect -->
+```dafny
+predicate IsCommutative<X>(r: (X, X) -> bool)
+{
+  forall x, y :: r(x, y) == r(y, x) // error: open-ended quantifier
+}
+```
+
+Since nothing is known about type `X`, this quantifier might be
+open-ended.  For example, if `X` were passed in as a class type, then
+the quantifier would be open-ended. One way to fix this predicate is
+to restrict it to non-heap based types, which is indicated with the
+`(!new)` type characteristic (see [Section 5.3.1.4](#sec-non-heap-based)):
+
+<!-- %check-verify -->
+```dafny
+ghost predicate IsCommutative<X(!new)>(r: (X, X) -> bool) // X is restricted to non-heap types
+{
+  forall x, y :: r(x, y) == r(y, x) // allowed
+}
+```
+
+Another way to make `IsCommutative` close-ended is to constrain the values
+of the bound variables `x` and `y`. This can be done by adding a parameter
+to the predicate and limiting the quantified values to ones in the given set:
+
+<!-- %check-verify -->
+```dafny
+predicate IsCommutativeInS<X>(r: (X, X) -> bool, S: set<X>)
+{
+  forall x, y :: x in S && y in S ==> r(x, y) == r(y, x) // close-ended
+}
+```
+
+Through a simple syntactic analysis, Dafny detects the antecedents
+`x in S` and `y in S`, and since `S` is a parameter and thus can only be
+passed in as something that the caller has already allocated, the
+quantifier in `IsCommutativeInS` is determined to be close-ended.
+
+Note, the `x in S` trick does not work for the motivating example,
+`Reachable`. If you try to write
+
+<!-- %check-resolve Types.15.expect %use ReachableVia.tmp -->
+```dafny
+predicate Reachable(source: Node, sink: Node, S: set<Node>)
+  reads S
+{
+  exists p :: p in S && ReachableVia(source, p, sink, S) // type error: p
+}
+```
+
+you will get a type error, because `p in S` does not make sense if `p`
+has type `Path`. We need some other way to justify that the
+quantification in `Reachable` is close-ended.
+
+Dafny offers a way to extend the `x in S` trick to more situations.
+This is where the `older` modifier comes in. Before we apply `older`
+in the `Reachable` example, let's first look at what `older` does in a
+less cluttered example.
+
+Suppose we rewrite `IsCommutativeInS` using a programmer-defined predicate `In`:
+
+<!-- %check-resolve Types.16.expect -->
+```dafny
+predicate In<X>(x: X, S: set<X>) {
+  x in S
+}
+
+predicate IsCommutativeInS<X>(r: (X, X) -> bool, S: set<X>)
+{
+  forall x, y :: In(x, S) && In(y, S) ==> r(x, y) == r(y, x) // error: open-ended?
+}
+```
+
+The simple syntactic analysis that looks for `x in S` finds nothing
+here, because the `in` operator is relegated to the body of predicate
+`In`. To inform the analysis that `In` is a predicate that, in effect,
+is like `in`, you can mark parameter `x` with `older`:
+
+<!-- %check-verify -->
+```dafny
+predicate In<X>(older x: X, S: set<X>) {
+  x in S
+}
+```
+
+This causes the simple syntactic analysis to accept the quantifier in
+`IsCommutativeInS`. Adding `older` also imposes a semantic check on
+the body of predicate `In`, enforced by the verifier. The semantic
+check is that all the object references in the value `x` are older (or
+equally old as) the object references that are part of the other
+parameters, _in the event that the predicate returns true_. That is,
+`older` is designed to help the caller only if the predicate returns
+`true`, and the semantic check amounts to nothing if the predicate
+returns `false`.
+
+Finally, let's get back to the motivating example. To allow the quantifier
+in `Reachable`, mark parameter `p` of `ReachableVia` with `older`:
+
+<!-- %check-verify -->
+```dafny
+class Node {
+  var children: seq<Node>
+}
+
+datatype Path = Empty | Extend(Path, Node)
+
+ghost predicate Reachable(source: Node, sink: Node, S: set<Node>)
+  reads S
+{
+  exists p :: ReachableVia(source, p, sink, S) // allowed because of 'older p' on ReachableVia
+}
+
+ghost predicate ReachableVia(source: Node, older p: Path, sink: Node, S: set<Node>)
+  reads S
+  decreases p
+{
+  match p
+  case Empty =>
+    source == sink
+  case Extend(prefix, n) =>
+    n in S && sink in n.children && ReachableVia(source, prefix, n, S)
+}
+```
+
+This example is more involved than the simpler `In` example
+above. Because of the `older` modifier on the parameter, the quantifier in
+`Reachable` is allowed. For intuition, you can think of the effect of
+`older p` as adding an antecedent `p in {source} + {sink} + S`
+(but, as we have seen, this is not type correct). The semantic check
+imposed on the body of `ReachableVia` makes sure that, if the
+predicate returns `true`, then every object reference in `p` is as old
+as some object reference in another parameter to the predicate.
+
+## 6.5. Nameonly Formal Parameters and Default-Value Expressions
+
+A formal parameter of a method, constructor in a class, iterator,
+function, or datatype constructor can be declared with an expression
+denoting a _default value_. This makes the parameter _optional_,
+as opposed to _required_.
+
+For example,
+<!-- %check-resolve %save f.tmp -->
+```dafny
+function f(x: int, y: int := 10): int
+```
+may be called as either
+<!-- %check-resolve %use f.tmp -->
+```dafny
+const i := f(1, 2)
+const j := f(1)
+```
+where `f(1)` is equivalent to `f(1, 10)` in this case.
+
+The above function may also be called as
+<!-- %no-check -->
+```dafny
+var k := f(y := 10, x := 2);
+```
+using names; actual arguments with names may be given in any order,
+though they must be after actual arguments without names. 
+
+Formal parameters may also be declared `nameonly`, in which case a call site
+must always explicitly name the formal when providing its actual argument.
+
+For example, a function `ff` declared as
+<!-- %check-resolve -->
+```dafny
+function ff(x: int, nameonly y: int): int
+```
+must be called either by listing the value for x and then y with a name, 
+as in `ff(0, y := 4)` or by giving both actuals by name (in any order). 
+A `nameonly` formal may also have a default value and thus be optional.
+
+Any formals after a `nameonly` formal must either be `nameonly` themselves or have default values.
+
+The formals of datatype constructors are not required to have names.
+A nameless formal may not have a default value, nor may it follow a formal
+that has a default value.
+
+The default-value expression for a parameter is allowed to mention the
+other parameters, including `this` (for instance methods and instance
+functions), but not the implicit `_k` parameter in least and greatest
+predicates and lemmas. The default value of a parameter may mention
+both preceding and subsequent parameters, but there may not be any
+dependent cycle between the parameters and their default-value
+expressions.
+
+The [well-formedness](#sec-assertion-batches) of default-value expressions is checked independent
+of the precondition of the enclosing declaration. For a function, the
+parameter default-value expressions may only read what the function's
+`reads` clause allows. For a datatype constructor, parameter default-value
+expressions may not read anything. A default-value expression may not be
+involved in any recursive or mutually recursive calls with the enclosing
+declaration.
+
diff --git a/v4.10.0/DafnyRef/UserGuide.1.expect b/v4.10.0/DafnyRef/UserGuide.1.expect
new file mode 100644
index 0000000..4460da6
--- /dev/null
+++ b/v4.10.0/DafnyRef/UserGuide.1.expect
@@ -0,0 +1,4 @@
+text.dfy(6,4): Error: a postcondition could not be proved on this return path
+text.dfy(2,12): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/UserGuide.2.expect b/v4.10.0/DafnyRef/UserGuide.2.expect
new file mode 100644
index 0000000..fee03d1
--- /dev/null
+++ b/v4.10.0/DafnyRef/UserGuide.2.expect
@@ -0,0 +1,4 @@
+text.dfy(7,4): Error: a postcondition could not be proved on this return path
+text.dfy(2,12): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/UserGuide.3.expect b/v4.10.0/DafnyRef/UserGuide.3.expect
new file mode 100644
index 0000000..649ca8f
--- /dev/null
+++ b/v4.10.0/DafnyRef/UserGuide.3.expect
@@ -0,0 +1,3 @@
+text.dfy(7,4): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/UserGuide.4.expect b/v4.10.0/DafnyRef/UserGuide.4.expect
new file mode 100644
index 0000000..649ca8f
--- /dev/null
+++ b/v4.10.0/DafnyRef/UserGuide.4.expect
@@ -0,0 +1,3 @@
+text.dfy(7,4): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/UserGuide.5.expect b/v4.10.0/DafnyRef/UserGuide.5.expect
new file mode 100644
index 0000000..4b136e3
--- /dev/null
+++ b/v4.10.0/DafnyRef/UserGuide.5.expect
@@ -0,0 +1,3 @@
+text.dfy(6,4): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/UserGuide.6.expect b/v4.10.0/DafnyRef/UserGuide.6.expect
new file mode 100644
index 0000000..9437cf4
--- /dev/null
+++ b/v4.10.0/DafnyRef/UserGuide.6.expect
@@ -0,0 +1,3 @@
+text.dfy(5,19): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/UserGuide.7.expect b/v4.10.0/DafnyRef/UserGuide.7.expect
new file mode 100644
index 0000000..0368a09
--- /dev/null
+++ b/v4.10.0/DafnyRef/UserGuide.7.expect
@@ -0,0 +1,3 @@
+text.dfy(4,19): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/DafnyRef/UserGuide.8.expect b/v4.10.0/DafnyRef/UserGuide.8.expect
new file mode 100644
index 0000000..4cbde3d
--- /dev/null
+++ b/v4.10.0/DafnyRef/UserGuide.8.expect
@@ -0,0 +1,3 @@
+text.dfy(5,13): Error: result of operation might violate newtype constraint for 'byte'
+
+Dafny program verifier finished with 1 verified, 1 error
diff --git a/v4.10.0/DafnyRef/UserGuide.md b/v4.10.0/DafnyRef/UserGuide.md
new file mode 100644
index 0000000..8fd4ce1
--- /dev/null
+++ b/v4.10.0/DafnyRef/UserGuide.md
@@ -0,0 +1,2781 @@
+# 13. Dafny User's Guide {#sec-user-guide}
+
+Most of this document describes the Dafny programming language.
+This section describes the `dafny` tool, a combined verifier and compiler
+that implements the Dafny language.
+
+The development of the Dafny language and tool is a GitHub project at [https://github.com/dafny-lang/dafny](https://github.com/dafny-lang/dafny).
+The project is open source, with collaborators from various organizations; additional contributors are welcome.
+The software itself is licensed under the [MIT license](https://github.com/dafny-lang/dafny/blob/master/LICENSE.txt).
+
+## 13.1. Introduction
+
+The `dafny` tool implements the following primary capabilities, implemented as various [_commands_](#sec-dafny-commands) within the `dafny` tool:
+
+- checking that the input files represent a valid Dafny program (i.e., syntax, grammar and name and type resolution);
+- verifying that the program meets its specifications, by translating the program to verification conditions
+and checking those with Boogie and an SMT solver, typically Z3;
+- compiling the program to a target language, such as C#, Java, Javascript, Go (and others in development);
+- running the executable produced by the compiler.
+
+In addition there are a variety of other capabilities, such as formatting files, also implemented as commands;
+more such commands are expected in the future.
+
+## 13.2. Installing Dafny
+
+### 13.2.1. Command-line tools
+
+The instructions for installing `dafny` and the required dependencies and environment
+are described on the Dafny wiki:
+[https://github.com/dafny-lang/dafny/wiki/INSTALL](https://github.com/dafny-lang/dafny/wiki/INSTALL).
+They are not repeated here to avoid replicating information that
+easily becomes inconsistent and out of date.
+The dafny tool can also be installed using `dotnet tool install --global dafny`
+(presuming that `dotnet` is already installed on your system).
+
+Most users will find it most convenient to install the pre-built Dafny binaries available on the project release site or using the `dotnet` CLI.
+As is typical for Open Source projects, dafny can also be built directly from the source files maintained in the github project.
+
+Current and past Dafny binary releases can be found at
+[https://github.com/dafny-lang/dafny/releases](https://github.com/dafny-lang/dafny/releases) for each supported platform.
+Each release is a .zip file with a name combining the release name and the
+platform. Current platforms are Windows 11, Ubuntu 20 and later, and MacOS 10.14 and later.
+
+The dafny tool is distributed as a standalone executable. 
+A compatible version of the required Z3 solver is included in the release.
+There are additional dependencies that are needed to compile dafny to particular target languages,
+as described in the release instructions.
+A development environment to _build_ dafny from source requires additional dependencies, 
+described [here](https://github.com/dafny-lang/dafny/wiki/INSTALL#building-and-developing-from-source-code).
+
+
+### 13.2.2. IDEs for Dafny {#sec-ides}
+
+Dafny source files are text files and can of course be edited with any
+text editor. However, some tools provide syntax-aware features:
+
+- VSCode, a cross-platform editor for many programming languages has an extension for Dafny. 
+  VSCode is available [here](http://code.visualstudio.com) and the Dafny extension can be installed from within VSCode.
+  The [extension](#sec-dafny-language-server-vscode) provides syntax highlighting, in-line parser,
+  type and verification errors, code navigation, counter-example display and gutter highlights.
+- There is a [Dafny mode for
+    Emacs](https://github.com/boogie-org/boogie-friends).
+- An old Visual Studio plugin is no longer supported
+
+Information about installing IDE extensions for Dafny is found
+on the [Dafny INSTALL page in the wiki](https://github.com/dafny-lang/dafny/wiki/INSTALL).
+
+More information about using VSCode IDE is [here](#sec-dafny-language-server-vscode).
+
+## 13.3. Dafny Programs and Files
+
+A Dafny program is a set of modules.
+Modules can refer to other modules, such as through `import` declarations
+or `refines` clauses.
+A Dafny program consists of all the modules needed so that all module
+references are resolved.
+Dafny programs are contained in files that have a `.dfy` suffix.
+Such files each hold
+some number of top-level declarations. Thus a full program may be
+distributed among multiple files.
+To apply the `dafny` tool to a Dafny program, the `dafny` tool must be
+given all the files making up a complete program (or, possibly, more than
+one program at a time). This can be effected either by listing all of the files
+by name on the command-line or by using `include` directives within a file
+to stipulate what other files contain modules that the given files need.
+Thus the complete set of modules are all the modules in all the files listed
+on the command-line or referenced, recursively, by `include` directives
+within those files. It does not matter if files are repeated either as
+includes or on the command-line.[^fn-duplicate-files]
+
+All files recursively included are always parsed and type-checked.
+However, which files are verified, built, run, or processed by other
+dafny commands depends on the individual command. 
+These commands are described in [Section 13.6.1](#sec-dafny-commands).
+
+[^fn-duplicate-files]: Files may be included more than once or both included and listed on the command line. Duplicate inclusions are detected and each file processed only once.
+For the purpose of detecting duplicates, file names are considered equal if they have the same absolute path, compared as case-sensitive strings (regardless of whether the underlying file-system is case sensitive).  Using symbolic links may make the same file have a different absolute path; this will generally cause duplicate declaration errors.
+
+### 13.3.1. Dafny Verification Artifacts: the Library Backend and .doo Files {#sec-doo-files}
+
+As of Dafny 4.1, `dafny` now supports outputting a single file containing
+a fully-verified program along with metadata about how it was verified.
+Such files use the extension `.doo`, for Dafny Output Object,
+and can be used as input anywhere a `.dfy` file can be.
+
+`.doo` files are produced by an additional backend called the "Dafny Library" backend,
+identified with the name `lib` on the command line. For example, to build multiple
+Dafny files into a single build artifact for shared reuse, the command would look something like:
+
+```bash
+dafny build -t:lib A.dfy B.dfy C.dfy --output:MyLib.doo
+```
+
+The Dafny code contained in a `.doo` file is not re-verified when passed back to the `dafny` tool,
+just as included files and those passed with the `--library` option are not.
+Using `.doo` files provides a guarantee that the Dafny code was in fact verified,
+however, and therefore offers protection against build system mistakes.
+`.doo` files are therefore ideal for sharing Dafny libraries between projects.
+
+`.doo` files also contain metadata about the version of Dafny used to verify them
+and the values of relevant options that affect the sound separate verification and
+compilation of Dafny code, such as `--unicode-char`.
+This means attempting to use a library that was built with options
+that are not compatible with the currently executing command options
+will lead to errors.
+This also includes attempting to use a `.doo` file built with a different version of Dafny,
+although this restriction may be lifted in the future.
+
+A `.doo` file is a compressed archive of multiple files, similar to the `.jar` file format for Java packages.
+The exact file format is internal and may evolve over time to support additional features.
+
+Note that the library backend only supports the [newer command-style CLI interface](#sec-dafny-commands).
+
+### 13.3.2. Dafny Translation Artifacts: .dtr Files {#sec-dtr-files}
+
+Some options, such as `--outer-module` or `--optimize-erasable-datatype-wrapper`,
+affect what target language code the same Dafny code is translated to.
+In order to translate Dafny libraries separately from their consuming codebases,
+the translation process for consuming code needs to be aware
+of what options were used when translating the library.
+
+For example, if a library defines a `Foo()` function in an `A` module,
+but `--outer-module org.coolstuff.foolibrary.dafnyinternal` is specified when translating the library to Java,
+then a reference to `A.Foo()` in a consuming Dafny project
+needs to be translated to `org.coolstuff.foolibrary.dafnyinternal.A.Foo()`,
+independently of what value of `--outer-module` is used for the consuming project.
+
+To meet this need,
+`dafny translate` also outputs a `<program-name>-<target id>.dtr` Dafny Translation Record file.
+Like `.doo` files, `.dtr` files record all the relevant options that were used,
+in this case relevant to translation rather than verification.
+These files can be provided to future calls to `dafny translate` using the `--translation-record` option,
+in order to provide the details of how various libraries provided with the `--library` flag were translated.
+
+Currently `--outer-module` is the only option recorded in `.dtr` files,
+but more relevant options will be added in the future.
+A later version of Dafny will also require `.dtr` files that cover all modules
+that are defined in `--library` options,
+to support checking that all relevant options are compatible.
+
+## 13.4. Dafny Standard Libraries
+
+As of Dafny 4.4, the `dafny` tool includes standard libraries that any Dafny code base can depend on.
+For now they are only available when the `--standard-libraries` option is provided,
+but they will likely be available by default in the next major version of Dafny.
+
+See https://github.com/dafny-lang/dafny/blob/master/Source/DafnyStandardLibraries/README.md for details.
+
+## 13.5. Dafny Code Style
+
+There are coding style conventions for Dafny code, recorded [here](https://dafny-lang.github.io/dafny/StyleGuide/Style-Guide).
+Most significantly, code is written without tabs and with a 2 space indentation. Following code style conventions 
+improves readability but does not alter program semantics.
+
+## 13.6. Using Dafny From the Command Line {#command-line}
+
+`dafny` is a conventional command-line tool, operating just like other
+command-line tools in Windows and Unix-like systems.
+In general, the format of a command-line is determined by the shell program that is executing the command-line 
+(.e.g., bash, the windows shell, COMMAND, etc.), 
+but is expected to be a series of space-separated "words", each representing a command, option, option argument, file, or folder. 
+
+### 13.6.1. dafny commands {#sec-dafny-commands}
+
+As of v3.9.0, `dafny` uses a command-style command-line (like `git` for example); prior to v3.9.0, the 
+command line consisted only of options and files.
+It is expected that additional commands will be added in the future.
+Each command may have its own subcommands and its own options, in addition to generally applicable options. 
+Thus the format of the command-line is
+a command name, followed by options and files:
+`dafny <command> <options> <files>`;
+the command-name must be the first command-line argument.
+
+The command-line `dafny --help` or `dafny -h` lists all the available commands.
+
+The command-line `dafny <command> --help` (or `-h` or `-?`) gives help information for that particular \<command\>, including the list of options.
+Some options for a particular command are intended only for internal tool development; those are shown using the `--help-internal` option instead of `--help`.
+
+Also, the command-style command-line has modernized the syntax of options; they are now POSIX-compliant.
+Like many other tools, options now typically begin with a double hyphen, 
+with some options having a single-hyphen short form, such as `--help` and `-h`.
+ 
+If no \<command\> is given, then the command-line is presumed to use old-style syntax, so any previously 
+written command-line will still be valid.
+
+`dafny` recognizes the commands described in the following subsections. The most commonly used
+are [`dafny verify`](#sec-dafny-verify), [`dafny build`](#sec-dafny-build), and [`dafny run`](#sec-dafny-run).
+
+The command-line also expects the following:
+- Files are designated by absolute paths or paths relative to the current
+working directory. A command-line argument not matching a known option is considered a filepath, and likely one
+with an unsupported suffix, provoking an error message.
+- Files containing dafny code must have a `.dfy` suffix.
+- There must be at least one `.dfy` file (except when using `--stdin` or in the case of `dafny format`, see the [Dafny format section](#sec-dafny-format)) 
+- The command-line may contain other kinds of files appropriate to
+the language that the Dafny files are being compiled to. The kind of file is determined by its suffix.
+- Escape characters are determined by the shell executing the command-line.
+- Per POSIX convention, the option `--` means that all subsequent command-line arguments are not options to the dafny tool; they are either files or arguments to the `dafny run` command.
+- If an option is repeated (e.g., with a different argument), then the later instance on the command-line supersedes the earlier instance, with just a few options accumulating arguments.
+- If an option takes an argument, the option name is followed by a `:` or `=` or whitespace and then by the argument value; if the argument itself contains white space, the argument must be enclosed in quotes. It is recommended to use the `:` or `=` style to avoid misinterpretation or separation of a value from its option.
+- Boolean options can take the values `true` and `false` (or any case-insensitive version of those words). For example, the value of `--no-verify` is by default `false` (that is, do verification). 
+It can be explicitly set to true (no verification) using `--no-verify`, `--no-verify:true`, `--no-verify=true`, `--noverify true`; 
+it can be explicitly set false (do verification) using `--no-verify:false` or `--no-verify=false` or `--no-verify false`.
+- There is a potential ambiguity when the form `--option value` is used if the value is optional (such as for boolean values). In such a case an argument after an option (that does not have an argument given with `:` or `=`) is interpreted as the value if it is indeed a valid value for that option. However, better style advises always using a ':' or '=' to set option values.
+No valid option values in dafny look like filenames or begin with `--`.
+
+#### 13.6.1.1. Options that are not associated with a command
+
+A few options are not part of a command. In these cases any single-hyphen spelling also permits a spelling beginning with '/'.
+- `dafny --help` or `dafny -h` lists all the available commands
+- `dafny -?` or `dafny -help` list all legacy options
+- `dafny --version` (or `-version`) prints out the number of the version this build of dafny implements
+
+
+#### 13.6.1.2. `dafny resolve` {#sec-dafny-resolve}
+
+The `dafny resolve` command checks the command-line and then parses and typechecks the given files and any included files.
+
+The set of files considered by `dafny` are those listed on the command-line,
+including those named in a `--library` option, and all files that are
+named, recursively, in `include` directives in files in the set being considered by the tool.
+
+The set of files presented to an invocation of the `dafny` tool must 
+contain all the declarations needed to resolve all names and types, 
+else name or type resolution errors will be emitted.
+
+`dafny` can parse and verify sets of files that do not form a 
+complete program because they are missing the implementations of 
+some constructs such as functions, lemmas, and loop bodies.[^incomplete]
+However, `dafny` will need all implementations in order to compile a working executable.
+
+[^incomplete]: Unlike some languages, Dafny does not allow separation of 
+declaration and implementation of methods, functions and types in separate files, nor, for that matter,
+separation of specification and declaration. Implementations can be 
+omitted simply by leaving them out of the declaration (or a lemma, for example).
+However, a combination of [`traits`](#sec-trait-types) and
+[`classes`](#sec-class-types) can achieve a separation of interface
+and specification from
+implementation.
+
+The options relevant to this command are
+- those relevant to the command-line itself
+   - `--allow-warnings` --- return a success [exit code](#sec-exit-codes), even when there are warnings 
+
+- those that affect dafny` as a whole, such as
+   - `--cores` --- set the number of cores dafny should use
+   - `--show-snippets` --- emit a line or so of source code along with an error message
+   - `--library` --- include this file in the program, but do not verify or compile it (multiple such library files can be listed using multiple instances of the `--library` option)
+   - `--stdin` -- read from standard input
+- those that affect the syntax of Dafny, such as
+   - `--prelude`
+   - `--unicode-char`
+   - `--function-syntax` <version>
+   - `--quantifier-syntax` <version>
+   - `--track-print-effects`
+   - `--warn-shadowing`
+   - `--warn-missing-constructor-parentheses`
+
+
+#### 13.6.1.3. `dafny verify` {#sec-dafny-verify}
+
+The `dafny verify` command performs the [`dafny resolve`](#sec-dafny-resolve) checks and then attempts to verify each declaration in the program.
+
+A guide to controlling and aiding the verification process is given in [a later section](#sec-verification).
+
+To be considered _verified_ all the methods in all the files in a program must be verified, with consistent sets of options,
+and with no unproven assumptions (see [`dafny audit`](#sec-dafny-audit) for a tool to help identify such assumptions).
+
+Dafny works _modularly_, meaning that each method is considered by itself, using only the specifications of other methods.
+So, when using the dafny tool, you can verify the program all at once or one file at a time or groups of files at a time.
+On a large program, verifying all files at once can take quite a while, with little feedback as to progress, though it does
+save a small amount of work by parsing all files just once. But, one way or another, to have a complete verification, all 
+implementations of all methods and functions must eventually be verified.
+
+- By default, only those files listed on the command-line are verified in a given invocation of the `dafny` tool.
+- The option `--verify-included-files` (`-verifyAllModules` in legacy mode) forces the contents of all non-library files to be verified, whether they are listed on the command-line or recursively included by files on the command-line.
+- The `--library` option marks files that are excluded from `--verify-included-files`. Such a file may also, but need not, be the target of an `include` directive in some file of the program; in any case, such files are included in the program but not in the set of files verified (or compiled). The intent of this option is to mark files that
+should be considered as libraries that are independently verified prior to being released for shared use.
+- Verifying files individually is equivalent to verifying them in groups, presuming no other changes.
+It is also permitted to verify completely disjoint files or
+programs together in a single run of `dafny`.
+
+Various options control the verification process, in addition to all those described for [`dafny resolve`](#sec-dafny-resolve).
+
+- What is verified
+   - `--verify-included-files` (when enabled, all included files are verified, except library files, otherwise just those files on the command-line)
+   - `--relax-definite-assignment`
+   - `--track-print-effects`
+   - `--disable-nonlinear-arithmetic`
+   - `--filter-symbol`
+
+- Control of the proof engine
+   - `--manual-lemma-induction`
+   - `--verification-time-limit`
+   - `--boogie`
+   - `--solver-path`
+
+
+#### 13.6.1.4. `dafny translate <language>` {#sec-dafny-translate}
+
+The `dafny translate` command translates Dafny source code to source code for another target programming language.
+The command always performs the actions of `dafny resolve` and, unless the `--no-verify` option is specified, does the actions of `dafny verify`.
+The language is designated by a subcommand argument, rather than an option, and is required.
+The current set of supported target languages is 
+- cs (C#)
+- java (Java)
+- js (JavaScript)
+- py (Python)
+- go (Go)
+- cpp (C++ -- but only limited support)
+
+In addition to generating the target source code, `dafny` may generate build artifacts to assist in compiling the generated code.
+The specific files generated depend on the target programming language.
+More detail is given in [the section on compilation](#sec-compilation).
+
+The `dafny` tool intends that the compiled program in the target language be a semantically faithful rendering of the 
+(verified) Dafny program. However, resource and language limitations make this not always possible. 
+For example, though Dafny can express and reason about arrays of unbounded size, 
+not all target programming languages can represent arrays larger than the maximum signed 32-bit integer.
+
+Various options control the translation process, in addition to all those described for [`dafny resolve`](#sec-dafny-resolve) and [`dafny verify`](#sec-dafny-verify).
+
+- General options:
+   - `--no-verify` --- turns off all attempts to verify the program
+   - `--verbose` --- print information about generated files
+
+- The translation results
+   - `--output` (or `-o`) --- location of the generated file(s) (this specifies a file path and name; a folder location for artifacts is derived from this name)
+   - `--include-runtime` --- include the Dafny runtime for the target language in the generated artifacts
+   - `--optimize-erasable-datatype-wrapper`
+   - `--enforce-determinism`
+   - `--test-assumptions` --- (experimental) inserts runtime checks for unverified assumptions when they are compilable
+
+#### 13.6.1.5. `dafny build` {#sec-dafny-build}
+
+The `dafny build` command runs `dafny translate` and then compiles the result into an executable artifact for the target platform,
+such as a `.exe` or `.dll` or executable `.jar`, or just the source code for an interpreted language.
+If the Dafny program does not have a Main entry point, then the build command creates a library, such as a `.dll` or `.jar`.
+As with `dafny translate`, all the previous phases are also executed, including verification (unless `--no-verify` is a command-line option).
+By default, the generated file is in the same directory and has the same name with a different extension as the first
+.dfy file on the command line. This location and name can be set by the `--output` option.
+
+The location of the `Main` entry point is described [here](#sec-user-guide-main}.
+
+There are no additional options for `dafny build` beyond those for `dafny translate` and the previous compiler phases.
+
+Note that `dafny build` may do optimizations that `dafny run` does not.
+
+Details for specific target platforms are described [in Section 25.7](#sec-compilation).
+
+#### 13.6.1.6. `dafny run` {#sec-dafny-run}
+
+The `dafny run` command compiles the Dafny program and then runs the resulting executable.
+Note that `dafny run` is engineered to quickly compile and launch the program; 
+`dafny build` may take more time to do optimizations of the build artifacts.
+
+The form of the `dafny run` command-line is slightly different than for other commands.
+- It permits just one `.dfy` file, which must be the file containing the `Main` entry point;
+the location of the `Main` entry point is described [here](#sec-user-guide-main}.
+- Other files are included in the program either by `include` directives within that one file or by 
+the `--input` option on the command-line. 
+- Anything that is not an option and is not that one dfy file
+is an argument to the program being run (and not to dafny itself).
+- If the `--` option is used, then anything after that option is a command-line argument to the program being run.
+
+During development, users must use `dafny run --allow-warnings` if they want to run their Dafny code when it contains warnings.
+
+Here are some examples:
+  - `dafny run A.dfy` -- builds and runs the Main program in `A.dfy` with no command-line arguments
+  - `dafny run A.dfy --no-verify` -- builds the Main program in `A.dfy` using the `--no-verify` option, and then runs the program with no command-line arguments
+  - `dafny run A.dfy -- --no-verify` -- builds the Main program in `A.dfy` (_not_ using the `--no-verify` option), and then runs the program with one command-line argument, namely `--no-verify`
+  - `dafny run A.dfy 1 2 3 B.dfy` -- builds the Main program in `A.dfy` and
+then runs it with the four command-line arguments `1 2 3 B.dfy`
+  - `dafny run A.dfy 1 2 3 --input B.dfy` -- builds the Main program in `A.dfy` and `B.dfy`, and
+then runs it with the three command-line arguments `1 2 3`
+  - `dafny run A.dfy 1 2 -- 3 -quiet` -- builds the Main program in `A.dfy` and then runs it with the four command-line arguments `1 2 3 -quiet`
+
+Each time `dafny run` is invoked, the input Dafny program is compiled before it is executed.
+If a Dafny program should be run more than once, it can be faster to use `dafny build`,
+which enables compiling a Dafny program once and then running it multiple times.
+
+**Note:** `dafny run` will typically produce the same results as the executables produced by `dafny build`.  The only expected differences are these:
+- performance --- `dafny run` may not optimize as much as `dafny build`
+- target-language-specific configuration issues ---  e.g. encoding issues: `dafny run` sets language-specific flags to request UTF-8 output for the [`print`](#print-encoding) statement in all languages, whereas `dafny build` leaves language-specific runtime configuration to the user.
+
+#### 13.6.1.7. `dafny server` {#sec-dafny-server}
+
+The `dafny server` command starts the Dafny Language Server, which is an [LSP-compliant](https://microsoft.github.io/language-server-protocol/) implementation of Dafny.
+The [Dafny VSCode extension]() uses this LSP implementation, which in turn uses the same core Dafny implementation as the command-line tool.
+
+The Dafny Language Server is described in more detail [here](#sec-dafny-language-server-vscode).
+
+#### 13.6.1.8. `dafny audit` {#sec-dafny-audit}
+
+The `dafny audit` command reports issues in the Dafny code that might limit the soundness claims of verification.
+
+_This command is under development._
+
+The command executes the `dafny resolve` phase (accepting its options) and has the following additional options:
+
+- `--report-file:<report-file>` --- specifies the path where the audit
+   report file will be stored. Without this option, the report
+    will be issued as standard warnings, written to standard-out.
+- `--report-format:<format>` --- specifies the file format to use for
+   the audit report. Supported options include: 
+   - 'txt, 'text': plain text in the format of warnings
+   - 'html': standalone HTML ('html')
+   - 'md', 'markdown', 'md-table', 'markdown-table': a Markdown table
+   - 'md-ietf', 'markdown-ietf': an IETF-language document in Markdown format
+   - The default is to infer the format from the filename extension
+- `--compare-report` --- compare the report that would have
+   been generated with the existing file given by --report-file, and fail if
+   they differ.
+
+The command emits exit codes of
+- 1 for command-line errors
+- 2 for parsing, type-checking or serious errors in running the auditor (e.g. failure to write a report or when report comparison fails)
+- 0 for normal operation, including operation that identifies audit findings
+
+It also takes the `--verbose` option, which then gives information about the files being formatted.
+
+The `dafny audit` command currently reports the following:
+
+* Any declaration marked with the `{:axiom}` attribute.
+This is typically used to mark that a lemma with no body (and is therefore assumed to always be true) is intended as an axiom.
+The key purpose of the `audit` command is to ensure that all assumptions are intentional and acknowledged.
+To improve assurance, however, try to provide a proof.
+
+* Any declaration marked with the `{:verify false}` attribute, which tells the verifier to skip verifying this declaration.
+Removing the attribute and providing a proof will improve assurance.
+
+* Any declaration marked with the `{:extern}` attribute that has at least one `requires` or `ensures` clause.
+If code implemented externally, and called from Dafny, has an `ensures` clause, Dafny assumes that it satisfies that clause.
+Since Dafny cannot prove properties about code written in other languages,
+adding tests to provide evidence that any `ensures` clauses do hold can improve assurance.
+The same considerations apply to `requires` clauses on Dafny code intended to be called from external code.
+
+* Any definition with an `assume` statement in its body.
+To improve assurance, attempt to convert it to an `assert` statement and prove that it holds.
+Such a definition will not be compilable unless the statement is also marked with `{:axiom}`.
+Alternatively, converting it to an `expect` statement will cause it to be checked at runtime.
+
+* Any method marked with `decreases *`.
+Such a method may not terminate.
+Although this cannot cause an unsound proof, in the logic of Dafny,
+it's generally important that any non-termination be intentional.
+
+* Any `forall` statement without a body.
+This is equivalent to an assumption of its conclusion.
+To improve assurance, provide a body that proves the conclusion.
+
+* Any loop without a body.
+This is equivalent to an assumption of any loop invariants in the code after the loop.
+To improve assurance, provide a body that establishes any stated invariants.
+
+* Any declaration with no body and at least one `ensures` clause.
+Any code that calls this declaration will assume that all `ensures` clauses are true after it returns.
+To improve assurance, provide a body that proves that any `ensures` clauses hold.
+
+#### 13.6.1.9. `dafny format` {#sec-dafny-format}
+
+Dafny supports a formatter, which for now only changes the indentation of lines in a Dafny file, so that it conforms
+to the idiomatic Dafny code formatting style.
+For the formatter to work, the file should be parsed correctly by Dafny.
+
+There are four ways to use the formatter:
+
+* `dafny format <one or more .dfy files or folders>` formats the given Dafny files and the Dafny files in the folders, recursively, altering the files in place. For example, `dafny format .` formats all the Dafny files recursively in the current folder.
+* `dafny format --print <files and/or folders>` formats each file but instead of altering the files, output the formatted content to stdout
+* `dafny format --check <files and/or folders>` does not alter files. It will print a message concerning which files need formatting and return a non-zero exit code if any files would be changed by formatting.
+
+You can also use `--stdin` instead of providing a file, to format a full Dafny file from the standard input.
+Input files can be named along with `--stdin`, in which case both the files and the content of the stdin are formatted.
+
+Each version of `dafny format` returns a non-zero return code if there are any command-line or parsing
+errors or if --check is stipulated and at least one file is not the same as its formatted version.  
+`dafny format` does not necessarily report name or type resolution errors and does not attempt verification.
+
+#### 13.6.1.10. `dafny test` {#sec-dafny-test}
+ 
+This command (verifies and compiles the program and) runs every method in the program that is annotated with the [`{:test}` attribute](#sec-test-attribute).
+Verification can be disabled using the `--no-verify` option. `dafny test` also accepts all other options of the `dafny build` command. 
+In particular, it accepts the `--target` option that specifies the programming language used in the build and execution phases.
+
+`dafny test` also accepts these options:
+
+- `-spill-translation` - (default disabled) when enabled the compilation artifacts are retained
+- `--output` - gives the folder and filename root for compilation artifacts
+- `--methods-to-test` - the value is a (.NET) regular expression that is matched against the fully
+  qualified name of the method; only those methods that match are tested
+- `--coverage-report` - the value is a directory in which Dafny will save an html coverage report highlighting parts of
+  the program that execution of the tests covered.
+
+The order in which the tests are run is not specified.
+
+For example, this code (as the file `t.dfy`)
+<!-- %no-check -->
+```dafny
+method {:test} m() {
+  mm();
+  print "Hi!\n";
+}
+
+method mm() {
+  print "mm\n";
+}
+
+module M {
+  method {:test} q() {
+    print 42, "\n";
+  }
+}
+
+class A {
+  static method {:test} t() { print "T\n"; }
+}
+```
+and this command-line
+```bash
+dafny test --no-verify t.dfy
+```
+produce this output text:
+```text
+M.q: 42
+PASSED
+A.t: T
+PASSED
+m: mm
+Hi!
+PASSED
+```
+
+and this command-line
+```bash
+dafny test --no-verify --methods-to-test='m' t.dfy
+```
+produces this output text:
+```text
+m: mm
+Hi!
+PASSED
+```
+
+#### 13.6.1.11. `dafny doc` [Experimental] {#sec-dafny-doc}
+
+The `dafny doc` command generates HTML documentation pages describing the contents of each
+module in a set of files, using the documentation comments in the source files.
+This command is experimental; user feedback and contributor PRs on the layout of information and the navigation are welcome.
+
+* The format of the documentation comments is described [here](#sec-documentation-comments).
+* The `dafny doc` command accepts either files or folders as command-line arguments. A folder
+represents all the `.dfy` files contained recursively in that folder. A file that is a `.toml`
+[project file](#sec-project-files) represents all the files and options listed in the project file.
+* The command first parses and resolves the given files; it only proceeds to produce documentation
+if type resolution is successful (on all files). All the command-line options relevant to 
+`dafny resolve` are available for `dafny doc`.
+* The value of the `--output` option is a folder in which all the generated files will be placed.
+The default location is `./docs`. The folder is created if it does not already exist.
+Any existing content of the folder is overwritten.
+* If `--verbose` is enabled, a list of the generated files is emitted to stdout.
+* The output files contain information stating the source .dfy file in which the module is
+declared. The `--file-name` option controls the form of the filename in that information:
+   * --file-name:none -- no source file information is emitted
+   * --file-name:name -- (default) just the file name is emitted (e.g., `Test.dfy`)
+   * --file-name:absolute -- an absolute full path is emitted
+   * --file-name:relative=<prefix> -- a file name relative to the given prefix is emitted
+* If `--modify-time` is enabled, then the generated files contain information stating the
+last modified time of the source of the module being documented.
+* The `--program-name` option states text that will be included in the heading of the TOC and index pages
+
+The output files are HTML files, all contained in the given folder, one per module plus an 
+`index.html` file giving an overall table of contents and a `nameindex.html` file containing
+an alphabetical by name list of all the declarations in all the modules.
+The documentation for the root module is in `_.html`.
+
+#### 13.6.1.12. `dafny generate-tests` {#sec-dafny-generate-tests}
+
+This _experimental_ command allows generating tests from Dafny programs.
+The tests provide complete coverage of the implementation and one can execute them using the [`dafny test`](#sec-dafny-test) command.
+Dafny can target different notions of coverage while generating tests, with basic-block coverage being the recommended setting.
+Basic blocks are extracted from the Boogie representation of the Dafny program, with one basic block corresponding
+to a statement or a non-short-circuiting subexpression in the Dafny code. The underlying implementation uses the 
+verifier to reason about the reachability of different basic blocks in the program and infers necessary test inputs 
+from counterexamples.
+
+For example, this code (as the file `program.dfy`)
+<!-- %no-check -->
+```dafny
+module M {
+  function {:testEntry} Min(a: int, b: int): int {
+    if a < b then a else b
+  }
+}
+```
+and this command-line
+```bash
+dafny generate-tests Block program.dfy
+```
+produce two tests:
+<!-- %no-check -->
+```dafny
+include "program.dfy"
+module UnitTests {
+  import M
+  method {:test} Test0() {
+    var r0 := M.Min(0, 0);
+  }
+  method {:test} Test1() {
+    var r0 := M.Min(0, 1);
+  }
+}
+```
+
+The two tests together cover every basic block within the `Min` function in the input program. 
+Note that the `Min` function is annotated with the `{:testEntry}` attribute. This attribute marks `Min` as 
+the entry point for all generated tests, and there must always be at least one method or function so annotated.
+Another requirement is that any top-level declaration that is not itself a module (such as class, method, function, 
+etc.) must be a member of an explicitly named module, which is called `M` in the example above.
+
+_This command is under development and not yet fully functional._
+
+#### 13.6.1.13. `Inlining` {#sec-dafny-generate-tests-inlining}
+
+By default, when asked to generate tests, Dafny will produce _unit tests_, which guarantee coverage of basic blocks
+within the method they call but not within any of its callees. By contrast, system-level tests can
+guarantee coverage of a large part of the program while at the same time using a single method as an entry point. 
+In order to prompt Dafny to generate system-level tests, one must use the `{:testInline}` attribute. 
+
+For example, this code (as the file `program.dfy`)
+<!-- %no-check -->
+```dafny
+module M {
+  function {:testInline} Min(a: int, b: int): int {
+    if a < b then a else b
+  }
+  method {:testEntry} Max(a: int, b: int) returns (c: int)
+    // the tests convert the postcondition below into runtime check:
+    ensures c == if a > b then a else b
+  {
+    return -Min(-a, -b);
+  }
+}
+```
+and this command-line
+```bash
+dafny generate-tests Block program.dfy
+```
+produce two tests:
+<!-- %no-check -->
+```dafny
+include "program.dfy"
+module UnitTests {
+  import M
+  method {:test} Test0() {
+    var r0 := M.Max(7719, 7720);
+    expect r0 == if 7719 > 7720 then 7719 else 7720;
+  }
+  method {:test} Test1() {
+    var r0 := M.Max(1, 0);
+    expect r0 == if 1 > 0 then 1 else 0;
+  }
+}
+```
+
+Without the use of the `{:testInline}` attribute in the example above, Dafny will only generate a single test 
+because there is only one basic-block within the `Max` method itself -- all the branching occurs within the `Min` function.
+Note also that Dafny automatically converts all non-ghost postconditions on the method under tests into `expect` statements,
+which the compiler translates to runtime checks in the target language of choice.
+
+When the inlined method or function is recursive, it might be necessary to unroll the recursion several times to 
+get adequate code coverage. The depth of recursion unrolling should be provided as an integer argument to the `{:testInline}`
+attribute. For example, in the program below, the function `Mod3` is annotated with `{:testInline 2}` and 
+will, therefore, be unrolled twice during test generation. The function naively implements division by repeatedly and
+recursively subtracting `3` from its argument, and it returns the remainder of the division, which is one of 
+the three base cases. Because the `TestEntry` method calls `Mod3` with an argument that is guaranteed to be at least `3`,
+the base case will never occur on first iteration, and the function must be unrolled at least twice for Dafny to generate
+tests covering any of the base cases:
+
+<!-- %no-check -->
+```dafny
+module M {
+  function {:testInline 2} Mod3 (n: nat): nat
+    decreases n
+  {
+    if n == 0 then 0 else
+    if n == 1 then 1 else
+    if n == 2 then 2 else
+    Mod3(n-3)
+  }
+  method {:testEntry} TestEntry(n: nat) returns (r: nat)
+    requires n >= 3
+  {
+    r := Mod3(n);
+  }
+}
+```
+
+#### 13.6.1.14. `Command Line Options` {#sec-dafny-generate-tests-clo}
+
+Test generation supports a number of command-line options that control its behavior.
+
+The first argument to appear after the `generate-test` command specifies the coverage criteria Dafny will attempt to satisfy. 
+Of these, we recommend basic-block coverage (specified with keyword `Block`), which is also the coverage criteria used
+throughout the relevant parts of this reference manual. The alternatives are path coverage (`Path`) and block coverage 
+after inlining (`InlinedBlock`). Path coverage provides the most diverse set of tests but it is also the most expensive 
+in terms of time it takes to produce these tests. Block coverage after inlining is a call-graph sensitive version of 
+block coverage - it takes into account every block in a given method for every path through the call-graph to that method.
+
+The following is a list of command-line-options supported by Dafny during test generation:
+
+- `--verification-time-limit` - the value is an integer that sets a timeout for generating a single test. 
+  The default is 20 seconds.
+- `--length-limit` - the value is an integer that is used to limit the lengths or all sequences and sizes of all 
+  maps and sets that test generation will consider as valid test inputs. This can sometimes be necessary to 
+  prevent test generation from creating unwieldy tests with excessively long strings or large maps. This option is
+  disabled by default
+- `--coverage-report` - the value is a directory in which Dafny will save an html coverage report highlighting parts of
+  the program that the generated tests are expected to cover.
+- `--print-bpl` - the value is the name of the file to which Dafny will save the Boogie code used for generating tests.
+  This options is mostly useful for debugging test generation functionality itself.
+- `--force-prune` - this flag enables axiom pruning, a feature which might significantly speed up test generation but 
+  can also reduce coverage or cause Dafny to produce tests that do not satisfy the preconditions.
+
+Dafny will also automatically enforce the following options during test generation: `--enforce-determinism`, 
+`/typeEncoding:p` (an option passed on to Boogie).
+
+#### 13.6.1.15. `dafny find-dead-code` {#sec-dafny-find-dead-code}
+
+This _experimental_ command finds dead code in a program, that is, basic-blocks within a method that are not reachable 
+by any inputs that satisfy the method's preconditions. The underlying implementation is identical to that of
+[`dafny generate-tests`](#sec-dafny-test) command and can be controlled by the same command line options and method 
+attributes.
+
+For example, this code (as the file `program.dfy`)
+<!-- %no-check -->
+```dafny
+module M {
+  function {:testEntry} DescribeProduct(a: int): string {
+    if a * a < 0 
+    then "Product is negative"
+    else "Product is nonnegative"
+  }
+}
+```
+and this command-line
+```bash
+dafny find-dead-code program.dfy
+```
+produce this output:
+```text
+program.dfy(5,9) is reachable.
+program.dfy(3,4):initialstate is reachable.
+program.dfy.dfy(5,9)#elseBranch is reachable.
+program.dfy.dfy(4,9)#thenBranch is potentially unreachable.
+Out of 4 basic blocks, 3 are reachable.
+```
+
+Dafny reports that the then branch of the condition is potentially unreachable because the verifier proves that no
+input can reach it. In this case, this is to be expected, since the product of two numbers can never be negative. In
+practice, `find-dead-code` command can produce both false positives (if the reachability query times out) and false
+negatives (if the verifier cannot prove true unreachability), so the results of such a report should always be
+reviewed.
+
+_This command is under development and not yet fully functional._
+
+#### 13.6.1.16. `dafny measure-complexity` {#sec-dafny-measure-complexity}
+
+This _experimental_ command reports complexity metrics of a program.
+
+_This command is under development and not yet functional._
+
+#### 13.6.1.17. Plugins
+
+This execution mode is not a command, per se, but rather a command-line option that enables executing plugins to the dafny tool.
+Plugins may be either standalone tools or be additions to existing commands.
+
+The form of the command-line is `dafny --plugin:<path-to-one-assembly[,argument]*>` or `dafny <command> --plugin:<path-to-one-assembly[,argument]*>`
+where the argument to `--plugin` gives the path to the compiled assembly of the plugin and the arguments to be provided to the plugin.
+
+More on writing and building plugins can be found [in this section](#sec-plugins).
+
+#### 13.6.1.18. Legacy operation
+
+Prior to implementing the command-based CLI, the `dafny` command-line simply took files and options and the arguments to options.
+That legacy mode of operation is still supported, though discouraged. The command `dafny -?` produces the list of legacy options.
+In particular, the common commands like `dafny verify` and `dafny build` are accomplished with combinations of 
+options like `-compile`, `-compileTarget` and `-spillTargetCode`.
+ 
+Users are encouraged to migrate to the command-based style of command-lines and the double-hyphen options.
+
+### 13.6.2. In-tool help
+
+As is typical for command-line tools, `dafny` provides in-tool help through the `-h` and `--help` options:
+- `dafny -h`, `dafny --help` list the commands available in the `dafny` tool
+- `dafny -?` lists all the (legacy) options implemented in `dafny`
+- `dafny <command> -h`, `dafny <command> --help`, `dafny <command> -?` list the options available for that command
+
+### 13.6.3. dafny exit codes {#sec-exit-codes}
+
+The basic resolve, verify, translate, build, run and commands of dafny terminate with these exit codes.
+
+* 0 -- success
+* 1 -- invalid command-line arguments
+* 2 -- syntax, parse, or name or type resolution errors
+* 3 -- compilation errors
+* 4 -- verification errors
+
+Errors in earlier phases of processing typically hide later errors.
+For example, if a program has parsing errors, verification or compilation will
+not be attempted.
+
+Other dafny commands may have their own conventions for exit codes. 
+However in all cases, an exit code of 0 indicates successful completion of the command's
+task and small positive integer values indicate errors of some sort.
+
+### 13.6.4. dafny output
+
+Most output from `dafny` is directed to the standard output of the shell invoking the tool, though some goes to standard error.
+- Command-line errors: these are produced by the dotnet CommandLineOptions package are directed to **standard-error**
+- Other errors: parsing, typechecking, verification and compilation errors are directed to **standard-out**
+- Non-error progress information also is output to **standard-out**
+- Dafny `print` statements, when executed, send output to **standard-out**
+- Dafny `expect` statements (when they fail) send a message to **standard-out**.
+- Dafny I/O libraries send output explicitly to either **standard-out or standard-error**
+
+### 13.6.5. Project files {#sec-project-files}
+
+Commands on the Dafny CLI that can be passed a Dafny file can also be passed a Dafny project file. Such a project file may define which Dafny files the project contains and which Dafny options it uses. The project file must be a [TOML](https://toml.io/en/) file named `dfyconfig.toml` for it to work on both the CLI and in the Dafny IDE, although the CLI will accept any `.toml` file. 
+Here's an example of a Dafny project file:
+
+```toml
+includes = ["src/**/*.dfy"]
+excludes = ["**/ignore.dfy"]
+
+base = ["../commonOptions.dfyconfig.toml"]
+
+[options]
+enforce-determinism = true
+warn-shadowing = true
+```
+
+- At most one `.toml` file may be named on the command-line; when using the command-line no `.toml` file is used by default.
+- In the `includes` and `excludes` lists, the file paths may have wildcards, including `**` to mean any number of directory levels; filepaths are relative to the location of the `.toml` file in which they are named.
+- Dafny will process the union of (a) the files on the command-line and (b) the files designated in the `.toml` file, which are those specified by the `includes`, omitting those specified by the `excludes`.
+The `excludes` does not remove any files that are listed explicitly on the command-line.
+- Under the section `[options]`, any options from the Dafny CLI can be specified using the option's name without the `--` prefix. 
+- When executing a `dafny` command using a project file, any options specified in the file that can be applied to the command, will be. Options that can't be applied are ignored; options that are invalid for any dafny command trigger warnings.
+- Options specified on the command-line take precedence over any specified in the project file, no matter the order of items on the command-line.
+- When using a Dafny IDE based on the `dafny server` command, the IDE will search for project files by traversing up the file tree looking for the closest `dfyconfig.toml` file to the dfy being parsed that it can find. Options from the project file will override options passed to `dafny server`.
+
+- The field 'base' can be used to let one project file inherit options from another. If an option is specified in both, then the value specified in the inheriting project is used. Includes from the inheritor override excludes from the base.
+
+It's not possible to use Dafny project files in combination with the legacy CLI UI.
+
+## 13.7. Verification {#sec-verification}
+
+In this section, we suggest a methodology to figure out [why a single assertion might not hold](#sec-verification-debugging), we propose techniques to deal with [assertions that slow a proof down](#sec-verification-debugging-slow), we explain how to [verify assertions in parallel or in a focused way](#sec-assertion-batches), and we also give some more examples of [useful options and attributes to control verification](#sec-command-line-options-and-attributes-for-verification).
+
+### 13.7.1. Verification debugging when verification fails {#sec-verification-debugging}
+
+Let's assume one assertion is failing ("assertion might not hold" or "postcondition might not hold"). What should you do next?
+
+The following section is textual description of the animation below, which illustrates the principle of debugging an assertion by computing the weakest precondition:  
+![weakestpreconditionDemo](https://user-images.githubusercontent.com/3601079/157976402-83fe4d37-8042-40fc-940f-bcfc235c7d2b.gif)
+
+#### 13.7.1.1. Failing postconditions {#sec-failing-postconditions}
+Let's look at an example of a failing postcondition.
+<!-- %check-verify UserGuide.1.expect -->
+```dafny
+method FailingPostcondition(b: bool) returns (i: int)
+  ensures 2 <= i
+{
+  var j := if !b then 3 else 1;
+  if b {
+    return j;
+  }//^^^^^^^ a postcondition might not hold on this return path.
+  i := 2;
+}
+```
+One first thing you can do is replace the statement `return j;` by two statements `i := j; return;` to better understand what is wrong:
+<!-- %check-verify UserGuide.2.expect -->
+```dafny
+method FailingPostcondition(b: bool) returns (i: int)
+  ensures 2 <= i
+{
+  var j := if !b then 3 else 1;
+  if b {
+    i := j;
+    return;
+  }//^^^^^^^ a postcondition might not hold on this return path.
+  i := 2;
+}
+```
+Now, you can assert the postcondition just before the return:
+<!-- %check-verify UserGuide.3.expect -->
+```dafny
+method FailingPostcondition(b: bool) returns (i: int)
+  ensures 2 <= i
+{
+  var j := if !b then 3 else 1;
+  if b {
+    i := j;
+    assert 2 <= i; // This assertion might not hold
+    return;
+  }
+  i := 2;
+}
+```
+That's it! Now the postcondition is not failing anymore, but the `assert` contains the error!
+you can now move to the next section to find out how to debug this `assert`.
+
+#### 13.7.1.2. Failing asserts {#sec-failing-asserts}
+In the [previous section](#sec-failing-postconditions), we arrived at the point where we have a failing assertion:
+<!-- %check-verify UserGuide.4.expect -->
+```dafny
+method FailingPostcondition(b: bool) returns (i: int)
+  ensures 2 <= i
+{
+  var j := if !b then 3 else 1;
+  if b {
+    i := j;
+    assert 2 <= i; // This assertion might not hold
+    return;
+  }
+  i := 2;
+}
+```
+To debug why this assert might not hold, we need to _move this assert up_, which is similar to [_computing the weakest precondition_](https://en.wikipedia.org/wiki/Predicate_transformer_semantics#Weakest_preconditions).
+For example, if we have `x := Y; assert F;` and the `assert F;` might not hold, the weakest precondition for it to hold before `x := Y;` can be written as the assertion `assert F[x:= Y];`, where we replace every occurrence of `x` in `F` into `Y`.
+Let's do it in our example:
+<!-- %check-verify UserGuide.5.expect -->
+```dafny
+method FailingPostcondition(b: bool) returns (i: int)
+  ensures 2 <= i
+{
+  var j := if !b then 3 else 1;
+  if b {
+    assert 2 <= j; // This assertion might not hold
+    i := j;
+    assert 2 <= i;
+    return;
+  }
+  i := 2;
+}
+```
+Yay! The assertion `assert 2 <= i;` is not proven wrong, which means that if we manage to prove `assert 2 <= j;`, it will work.
+Now, this assert should hold only if we are in this branch, so to _move the assert up_, we need to guard it.
+Just before the `if`, we can add the weakest precondition `assert b ==> (2 <= j)`:
+<!-- %check-verify UserGuide.6.expect -->
+```dafny
+method FailingPostcondition(b: bool) returns (i: int)
+  ensures 2 <= i
+{
+  var j := if !b then 3 else 1;
+  assert b  ==>  2 <= j;  // This assertion might not hold
+  if b {
+    assert 2 <= j;
+    i := j;
+    assert 2 <= i;
+    return;
+  }
+  i := 2;
+}
+```
+Again, now the error is only on the topmost assert, which means that we are making progress.
+Now, either the error is obvious, or we can one more time replace `j` by its value and create the assert `assert b ==> ((if !b then 3 else 1) >= 2);`
+<!-- %check-verify UserGuide.7.expect -->
+```dafny
+method FailingPostcondition(b: bool) returns (i: int)
+  ensures 2 <= i
+{
+  assert b  ==>  2 <= (if !b then 3 else 1);  // This assertion might not hold
+  var j := if !b then 3 else 1;
+  assert b  ==>  2 <= j;
+  if b {
+    assert 2 <= j;
+    i := j;
+    assert 2 <= i;
+    return;
+  }
+  i := 2;
+}
+```
+At this point, this is pure logic. We can simplify the assumption:
+<!-- %no-check -->
+```dafny
+b ==>  2 <= (if !b then 3 else 1)
+!b ||  (if !b then 2 <= 3 else 2 <= 1)
+!b ||  (if !b then true else false)
+!b || !b;
+!b;
+```
+Now we can understand what went wrong: When b is true, all of these formulas above are false, this is why the `dafny` verifier was not able to prove them.
+In the next section, we will explain how to "move asserts up" in certain useful patterns.
+
+#### 13.7.1.3. Failing asserts cases {#sec-failing-asserts-special-cases}
+
+This list is not exhaustive but can definitely be useful to provide the next step to figure out why Dafny could not prove an assertion.
+
+ Failing assert           | Suggested rewriting
+--------------------------|---------------------------------------
+ <br>`x := Y;`<br>`assert P;` | `assert P[x := Y];`<br>`x := Y;`<br>`assert P;`
+ <br>`if B {`<br>&nbsp;&nbsp;`  assert P;`<br>&nbsp;&nbsp;`  ...`<br>`}` | `assert B ==> P;`<br>`if B {`<br>&nbsp;&nbsp;`  assert P;`<br>&nbsp;&nbsp;`  ...`<br>`}`
+ <br>`if B {`<br>&nbsp;&nbsp;`  ...`<br>`} else {`<br>&nbsp;&nbsp;`  assert P;`<br>&nbsp;&nbsp;`  ...`<br>`}` | `assert !B ==> P;`<br>`if B {`<br>&nbsp;&nbsp;`  ...`<br>`} else {`<br>&nbsp;&nbsp;`  assert P;`<br>&nbsp;&nbsp;`  ...`<br>`}`
+ <br><br>`if X {`<br>&nbsp;&nbsp;`  ...`<br>`} else {`<br>&nbsp;&nbsp;`  ...`<br>`}`<br>`assert A;` | `if X {`<br>&nbsp;&nbsp;`  ...`<br>&nbsp;&nbsp;`  assert A;`<br>`} else {`<br>&nbsp;&nbsp;`  ...`<br>&nbsp;&nbsp;`  assert A;`<br>`}`<br>`assert A;`
+ <br><br><br><br><br>`assert forall x :: Q(x);` | [`forall x`](#sec-forall-statement)<br>&nbsp;&nbsp;`  ensures Q(x)`<br>`{`<br>&nbsp;&nbsp;`  assert Q(x);`<br>`};`<br>` assert forall x :: Q(x);`
+ <br><br><br><br><br>`assert forall x :: P(x) ==> Q(x);` | [`forall x | P(x)`](#sec-forall-statement)<br>&nbsp;&nbsp;`  ensures Q(x)`<br>`{`<br>&nbsp;&nbsp;`  assert Q(x);`<br>`};`<br>` assert forall x :: P(x) ==> Q(x);`
+ <br>`assert exists x | P(x) :: Q(x);`<br>`assert exists x | P(x) :: Q'(x);` | `if x :| P(x) {`<br>&nbsp;&nbsp;`  assert Q(x);`<br>&nbsp;&nbsp;`  assert Q'(x);`<br>`} else {`<br>&nbsp;&nbsp;`  assert false;`<br>`}`
+ <br>`assert exists x :: P(x);`<br> | `assert P(x0);`<br>`assert exists x :: P(x);`<br>for a given expression `x0`.
+ <br>`ensures exists i :: P(i);`<br> | `returns (j: int)`<br>`ensures P(j) ensures exists i :: P(i)`<br>in a lemma, so that the `j` can be computed explicitly.
+ <br><br>`assert A == B;`<br>`callLemma(x);`<br>`assert B == C;`<br> | [`calc == {`](#sec-calc-statement)<br>&nbsp;&nbsp;`  A;`<br>&nbsp;&nbsp;`  B;`<br>&nbsp;&nbsp;`  { callLemma(x); }`<br>&nbsp;&nbsp;`  C;`<br>`};`<br>`assert A == B;`<br>where the [`calc`](#sec-calc-statement) statement can be used to make intermediate computation steps explicit. Works with `<`, `>`, `<=`, `>=`, `==>`, `<==` and `<==>` for example.
+ <br><br><br>`assert A ==> B;` | `if A {`<br>&nbsp;&nbsp;`  assert B;`<br>`};`<br>`assert A ==> B;`
+ <br><br>`assert A && B;` | `assert A;`<br>`assert B;`<br>`assert A && B;`
+ `ensures P ==> Q` on a lemma<br> | `requires P ensures Q` to avoid accidentally calling the lemma on inputs that do not satisfy `P`
+ `seq(size, i => P)` | `seq(size, i requires 0 <= i < size => P);`
+  <br><br>`assert forall x :: G(i) ==> R(i);` |  `assert G(i0);`<br>`assert R(i0);`<br>`assert forall i :: G(i) ==> R(i);` with a guess of the `i0` that makes the second assert to fail.
+  <br><br>`assert forall i | 0 < i <= m :: P(i);` |  `assert forall i | 0 < i < m :: P(i);`<br>`assert forall i | i == m :: P(i);`<br>`assert forall i | 0 < i <= m :: P(i);`<br><br>
+  <br><br>`assert forall i | i == m :: P(m);` |  `assert P(m);`<br>`assert forall i | i == m :: P(i);`
+  `method m(i) returns (j: T)`<br>&nbsp;&nbsp;`  requires A(i)`<br>&nbsp;&nbsp;`  ensures B(i, j)`<br>`{`<br>&nbsp;&nbsp;`  ...`<br>`}`<br><br>`method n() {`<br>&nbsp;&nbsp;`  ...`<br><br><br>&nbsp;&nbsp;`  var x := m(a);`<br>&nbsp;&nbsp;`  assert P(x);` | `method m(i) returns (j: T)`<br>&nbsp;&nbsp;`  requires A(i)`<br>&nbsp;&nbsp;`  ensures B(i, j)`<br>`{`<br>&nbsp;&nbsp;`  ...`<br>`}`<br><br>`method n() {`<br>&nbsp;&nbsp;`  ...`<br>&nbsp;&nbsp;`  assert A(k);`<br>&nbsp;&nbsp;`  assert forall x :: B(k, x) ==> P(x);`<br>&nbsp;&nbsp;`  var x := m(k);`<br>&nbsp;&nbsp;`  assert P(x);`
+  `method m_mod(i) returns (j: T)`<br>&nbsp;&nbsp;`  requires A(i)`<br>&nbsp;&nbsp;`  modifies this, i`<br>&nbsp;&nbsp;`  ensures B(i, j)`<br>`{`<br>&nbsp;&nbsp;`  ...`<br>`}`<br><br>`method n_mod() {`<br>&nbsp;&nbsp;`  ...`<br><br><br><br><br>&nbsp;&nbsp;`  var x := m_mod(a);`<br>&nbsp;&nbsp;`  assert P(x);` | `method m_mod(i) returns (j: T)`<br>&nbsp;&nbsp;`  requires A(i)`<br>&nbsp;&nbsp;`  modifies this, i`<br>&nbsp;&nbsp;`  ensures B(i, j)`<br>`{`<br>&nbsp;&nbsp;`  ...`<br>`}`<br><br>`method n_mod() {`<br>&nbsp;&nbsp;`  ...`<br>&nbsp;&nbsp;`  assert A(k);`<br>&nbsp;&nbsp;`  modify this, i; // Temporarily`<br>&nbsp;&nbsp;`  var x: T;     // Temporarily`<br>&nbsp;&nbsp;`  assume B(k, x);`<br>&nbsp;&nbsp;`//  var x := m_mod(k);`<br>&nbsp;&nbsp;`  assert P(x);`
+  <br>`modify x, y;`<br>`assert P(x, y, z);` | `assert x != z && y != z;`<br>`modify x, y;`<br>`assert P(x, y, z);`
+
+#### 13.7.1.4. Counterexamples {#sec-counterexamples}
+
+When verification fails, we can rerun Dafny with `--extract-counterexample` flag to get a counterexample that can potentially explain the proof failure.
+Note that Danfy cannot guarantee that the counterexample it reports provably violates the assertion it was generated for (see [^smt-encoding])
+The counterexample takes the form of assumptions that can be inserted into the code to describe the potential conditions under which the given assertion is violated. 
+This output should be inspected manually and treated as a hint.
+
+### 13.7.2. Verification debugging when verification is slow {#sec-verification-debugging-slow}
+
+In this section, we describe techniques to apply in the case when verification is slower than expected, does not terminate, or times out.
+
+Additional detail is available in the [verification optimization guide](../VerificationOptimization/VerificationOptimization).
+
+#### 13.7.2.1. `assume false;` {#sec-assume-false}
+
+Assuming `false` is an empirical way to short-circuit the verifier and usually stop verification at a given point,[^explainer-assume-false] and since the final compilation steps do not accept this command, it is safe to use it during development.
+Another similar command, `assert false;`, would also short-circuit the verifier, but it would still make the verifier try to prove `false`, which can also lead to timeouts.
+
+[^explainer-assume-false]: `assume false` tells the `dafny` verifier "Assume everything is true from this point of the program". The reason is that, 'false' proves anything. For example, `false ==> A` is always true because it is equivalent to `!false || A`, which reduces to `true || A`, which reduces to `true`.
+
+Thus, let us say a program of this shape takes forever to verify.
+
+<!-- %no-check -->
+```dafny
+method NotTerminating(b: bool) {
+   assert X;
+   if b {
+     assert Y;
+   } else {
+     assert Z;
+     assert P;
+   }
+}
+```
+
+What we can first do is add an `assume false` at the beginning of the method:
+
+<!-- %no-check -->
+```dafny
+method NotTerminating() {
+   assume false; // Will never compile, but everything verifies instantly
+   assert X;
+   if b {
+     assert Y;
+   } else {
+     assert Z;
+     assert P;
+   }
+   assert W;
+}
+```
+
+This verifies instantly. This gives us a strategy to bisect, or do binary search to find the assertion that slows everything down.
+Now, we move the `assume false;` below the next assertion:
+
+<!-- %no-check -->
+```dafny
+method NotTerminating() {
+   assert X;
+   assume false;
+   if b {
+     assert Y;
+   } else {
+     assert Z;
+     assert P;
+   }
+   assert W;
+}
+```
+
+If verification is slow again, we can use [techniques seen before](#sec-verification-debugging) to decompose the assertion and find which component is slow to prove.
+
+If verification is fast, that's the sign that `X` is probably not the problem,. We now move the `assume false;` after the if/then block:
+
+<!-- %no-check -->
+```dafny
+method NotTerminating() {
+   assert X;
+   if b {
+     assert Y;
+   } else {
+     assert Z;
+     assert P;
+   }
+   assume false;
+   assert W;
+}
+```
+
+Now, if verification is fast, we know that `assert W;` is the problem. If it is slow, we know that one of the two branches of the `if` is the problem.
+The next step is to put an `assume false;` at the end of the `then` branch, and an `assume false` at the beginning of the else branch:
+
+<!-- %no-check -->
+```dafny
+method NotTerminating() {
+   assert X;
+   if b {
+     assert Y;
+     assume false;
+   } else {
+     assume false;
+     assert Z;
+     assert P;
+   }
+   assert W;
+}
+```
+
+Now, if verification is slow, it means that `assert Y;` is the problem.
+If verification is fast, it means that the problem lies in the `else` branch.
+One trick to ensure we measure the verification time of the `else` branch and not the then branch is to move the first `assume false;` to the top of the then branch, along with a comment indicating that we are short-circuiting it for now.
+Then, we can move the second `assume false;` down and identify which of the two assertions makes the verifier slow.
+
+
+<!-- %no-check -->
+```dafny
+method NotTerminating() {
+   assert X;
+   if b {
+     assume false; // Short-circuit because this branch is verified anyway
+     assert Y;
+   } else {
+     assert Z;
+     assume false;
+     assert P;
+   }
+   assert W;
+}
+```
+
+If verification is fast, which of the two assertions `assert Z;` or `assert P;` causes the slowdown?[^answer-slowdown]
+
+[^answer-slowdown]: `assert P;`.
+
+We now hope you know enough of `assume false;` to locate assertions that make verification slow.
+Next, we will describe some other strategies at the assertion level to figure out what happens and perhaps fix it.
+
+#### 13.7.2.2. `assert ... by {}` {#sec-verification-debugging-assert-by}
+
+If an assertion `assert X;` is slow, it is possible that calling a lemma or invoking other assertions can help to prove it: The postcondition of this lemma, or the added assertions, could help the `dafny` verifier figure out faster how to prove the result.
+
+<!-- %no-check -->
+```dafny
+  assert SOMETHING_HELPING_TO_PROVE_LEMMA_PRECONDITION;
+  LEMMA();
+  assert X;
+...
+lemma () 
+  requires LEMMA_PRECONDITION
+  ensures X { ... }
+```
+
+However, this approach has the problem that it exposes the asserted expressions and lemma postconditions not only for the assertion we want to prove faster,
+but also for every assertion that appears afterwards. This can result in slowdowns[^verifier-lost].
+A good practice consists of wrapping the intermediate verification steps in an `assert ... by {}`, like this:
+
+
+<!-- %no-check -->
+```dafny
+  assert X by {
+    assert SOMETHING_HELPING_TO_PROVE_LEMMA_PRECONDITION;
+    LEMMA();
+  }
+```
+
+Now, only `X` is available for the `dafny` verifier to prove the rest of the method.
+
+[^verifier-lost]: By default, the expression of an assertion or a precondition is added to the knowledge base of the `dafny` verifier for further assertions or postconditions. However, this is not always desirable, because if the verifier has too much knowledge, it might get lost trying to prove something in the wrong direction.
+
+#### 13.7.2.3. Labeling and revealing assertions {#sec-labeling-revealing-assertions}
+
+Another way to prevent assertions or preconditions from cluttering the verifier[^verifier-lost] is to label and reveal them.
+Labeling an assertion has the effect of "hiding" its result, until there is a "reveal" calling that label.
+
+The example of the [previous section](#sec-verification-debugging-assert-by) could be written like this.
+
+<!-- %no-check -->
+```dafny
+  assert p: SOMETHING_HELPING_TO_PROVE_LEMMA_PRECONDITION;
+  // p is not available here.
+  assert X by {
+    reveal p;
+    LEMMA();
+  }
+```
+
+Similarly, if a precondition is only needed to prove a specific result in a method, one can label and reveal the precondition, like this:
+
+<!-- %check-verify -->
+```dafny
+method Slow(i: int, j: int)
+  requires greater: i > j {
+  
+  assert i >= j by {
+    reveal greater;
+  }
+}
+```
+
+Labelled assert statements are available both in expressions and statements.
+Assertion labels are not accessible outside of the block which the assert statement is in.
+If you need to access an assertion label outside of the enclosing expression or statement,
+you need to lift the labelled statement at the right place manually, e.g. rewrite
+
+<!-- %no-check -->
+```dafny
+ghost predicate P(i: int)
+
+method TestMethod(x: bool)
+  requires r: x <==> P(1)
+{
+  if x {
+    assert a: P(1) by { reveal r; }
+  }
+  assert x ==> P(1) by { reveal a; } // Error, a is not accessible
+}
+```
+to
+
+<!-- %check-verify -->
+```dafny
+ghost predicate P(i: int)
+
+method TestMethod(x: bool)
+  requires r: x <==> P(1)
+{
+  assert a: x ==> P(1) by {
+    if x {
+      assert P(1) by { reveal r; } // Proved without revealing the precondition
+    }
+  }
+  assert x ==> P(1) by { reveal a; } // Now a is accessible
+}
+```
+
+To lift assertions, please refer to the techniques described in [Verification Debugging](#sec-verification-debugging).
+
+#### 13.7.2.4. Non-opaque `function method` {#sec-non-opaque-function-method}
+
+Functions are normally used for specifications, but their functional syntax is sometimes also desirable to write application code.
+However, doing so naively results in the body of a `function method Fun()` be available for every caller, which can cause the verifier to time out or get extremely slow[^verifier-lost].
+A solution for that is to add the attribute [`{:opaque}`](#sec-opaque) right between `function method` and `Fun()`, and use [`reveal Fun();`](#sec-reveal-statement) in the calling functions or methods when needed.
+
+#### 13.7.2.5. Conversion to and from bitvectors {#sec-conversion-to-and-from-bitvectors}
+
+Bitvectors and natural integers are very similar, but they are not treated the same by the `dafny` verifier. As such, conversion from `bv8` to an `int` and vice-versa is not straightforward, and can result in slowdowns.
+
+There are two solutions to this for now. First, one can define a [subset type](#sec-subset-types) instead of using the built-in type `bv8`:
+
+<!-- %check-resolve -->
+```dafny
+type byte = x | 0 <= x < 256
+```
+
+One of the problems of this approach is that additions, subtractions and multiplications do not enforce the result to be in the same bounds, so it would have to be checked, and possibly truncated with modulos. For example:
+
+<!-- %check-resolve -->
+```dafny
+type byte = x | 0 <= x < 256
+method m() {
+  var a: byte := 250;
+  var b: byte := 200;
+  var c := b - a;               // inferred to be an 'int', its value will be 50.
+  var d := a + b;               // inferred to be an 'int', its value will be 450.
+  var e := (a + b) % 256;       // still inferred to be an 'int'...
+  var f: byte := (a + b) % 256; // OK
+}
+```
+
+A better solution consists of creating a [newtype](#sec-newtypes) that will have the ability to check bounds of arithmetic expressions, and can actually be compiled to bitvectors as well.
+
+<!-- %check-verify UserGuide.8.expect -->
+```dafny
+newtype {:nativeType "short"} byte = x | 0 <= x < 256
+method m() {
+  var a: byte := 250;
+  var b: byte := 200;
+  var c := b - a; // OK, inferred to be a byte
+  var d := a + b; // Error: cannot prove that the result of a + b is of type `byte`.
+  var f := ((a as int + b as int) % 256) as byte; // OK
+}
+```
+
+One might consider refactoring this code into separate functions if used over and over.
+
+#### 13.7.2.6. Nested loops {#sec-nested-loops}
+
+In the case of nested loops, the verifier might timeout sometimes because of inadequate or too much available information[^verifier-lost].
+One way to mitigate this problem, when it happens, is to isolate the inner loop by refactoring it into a separate method, with suitable pre and postconditions that will usually assume and prove the invariant again.
+For example,
+
+<!-- %no-check -->
+```dafny
+while X
+   invariant Y
+ {
+   while X'
+     invariant Y'
+   {
+ 
+   }
+ }
+```
+
+could be refactored as this:
+
+<!-- %no-check -->
+```dafny
+`while X
+   invariant Y
+ {
+   innerLoop();
+ }
+...
+method innerLoop()
+  require Y'
+  ensures Y'
+```
+
+In the next section, when everything can be proven in a timely manner, we explain another strategy to decrease proof time by parallelizing it if needed, and making the verifier focus on certain parts.
+
+### 13.7.3. Assertion batches, well-formedness, correctness {#sec-assertion-batches}
+
+To understand how to control verification,
+it is first useful to understand how `dafny` verifies functions and methods.
+
+For every method (or function, constructor, etc.), `dafny` extracts _assertions_.
+Assertions can roughly be sorted into two kinds: Well-formedness and correctness.
+
+- _Well-formedness_ assertions: All the implicit requirements
+  of native operation calls (such as indexing and asserting that divisiors are nonzero),
+  [`requires` clauses](#sec-requires-clause) of function calls, explicit
+  [assertion expressions](#sec-statement-in-an-expression) and
+  [`decreases` clauses](#sec-decreases-clause) at function call sites
+  generate well-formedness assertions.  
+  An expression is said to be _well-formed_ in a context if
+  all well-formedness assertions can be proven in that context.
+
+- _Correctness_ assertions: All remaining assertions and clauses
+
+For example, given the following statements:
+
+<!-- %no-check -->
+```dafny
+if b {
+  assert a*a != 0;
+}
+c := (assert b ==> a != 0; if b then 3/a else f(a));
+assert c != 5/a;
+```
+
+Dafny performs the following checks:
+
+<!-- %no-check -->
+```dafny
+var c: int;
+if b {
+  assert a*a != 0;   // Correctness
+}
+assert b ==> a != 0; // Well-formedness
+if b {
+  assert a != 0;     // Well-formedness
+} else {
+  assert f.requires(a); // Well-formedness
+}
+c := if b then 3/a else f(a);
+assert a != 0;       // Well-formedness
+assert c != 5/a;     // Correctness
+```
+
+Well-formedness is proved at the same time as correctness, except for
+[well-formedness of requires and ensures clauses](#sec-well-formedness-specifications)
+which is proved separately from the well-formedness and correctness of the rest of the method/function.
+For the rest of this section, we don't differentiate between well-formedness assertions and correctness assertions.
+
+We can also classify the assertions extracted by Dafny in a few categories:
+
+**Integer assertions:**
+
+* Every [division](#sec-numeric-types) yields an _assertion_ that the divisor is never zero.
+* Every [bounded number operation](#sec-numeric-types) yields an _assertion_ that the result will be within the same bounds (no overflow, no underflows).
+* Every [conversion](#sec-as-is-expression) yields an _assertion_ that conversion is compatible.
+* Every [bitvector shift](#sec-bit-vector-types) yields an _assertion_ that the shift amount is never negative, and that the shift amount is within the width of the value.
+
+**Object assertions:**
+
+* Every [object property access](#sec-class-types) yields an _assertion_ that the object is not null.
+* Every assignment `o.f := E;` yields an _assertion_ that `o` is among the set of objects of the `modifies` clause of the enclosing [loop](#sec-loop-framing) or [method](#sec-modifies-clause).
+* Every read `o.f` yields an _assertion_ that `o` is among the set of objects of the [`reads`](#sec-reads-clause) clause of the enclosing function or predicate.
+* Every [array access](#sec-array-type) `a[x]` yields the assertion that `0 <= x < a.Length`.
+* Every [sequence access](#sec-sequences) `a[x]` yields an _assertion_, that `0 <= x < |a|`, because sequences are never null.
+* Every [datatype update expression](#sec-datatype-update-suffix) and [datatype destruction](#sec-algebraic-datatype) yields an _assertion_ that the object has the given property.
+* Every method overriding a [`trait`](#sec-trait-types) yields an _assertion_ that any postcondition it provides implies the postcondition of its parent trait, and an _assertion_ that any precondition it provides is implied by the precondition of its parent trait.
+
+**Other assertions:**
+
+* Every value whose type is assigned to a [subset type](#sec-subset-types) yields an _assertion_ that it satisfies the subset type constraint.
+* Every non-empty [subset type](#sec-subset-types) yields an _assertion_ that its witness satisfies the constraint.
+* Every [Assign-such-that operator](#sec-update-and-call-statement) `x :| P(x)` yields an _assertion_ that `exists x :: P(x)`. In case `x :| P(x); Body(x)` appears in an expression and `x` is non-ghost, it also yields `forall x, y | P(x) && P(y) :: Body(x) == Body(y)`.
+* Every recursive function yields an _assertion_ that [it terminates](#sec-loop-termination).
+* Every [match expression](#sec-match-expression) or [alternative if statement](#sec-if-statement) yields an _assertion_ that all cases are covered.
+* Every call to a function or method with a [`requires`](#sec-requires-clause) clause yields _one assertion per requires clause_[^precision-requires-clause]
+  (special cases such as sequence indexing come with a special `requires` clause that the index is within bounds).
+
+**Specification assertions:**
+
+* Any explicit [`assert`](#sec-assert-statement) statement is _an assertion_[^precision-requires-clause].
+* A consecutive pair of lines in a [`calc`](#sec-calc-statement) statement forms _an assertion_ that the expressions are related according to the common operator.
+* Every [`ensures`](#sec-ensures-clause) clause yields an _assertion_ at the end of the method and on every return, and on [`forall`](#sec-forall-statement) statements.
+* Every [`invariant`](#sec-invariant-clause) clause yields an _assertion_ that it holds before the loop and an _assertion_ that it holds at the end of the loop.
+* Every [`decreases`](#sec-decreases-clause) clause yields an _assertion_ at either a call site or at the end of a while loop.
+* Every [`yield ensures`](#sec-iterator-specification) clause on an [iterator](#sec-iterator-types) yields _assertions_ that the clause holds at every yielding point.
+* Every [`yield requires`](#sec-iterator-specification) clause on an [iterator](#sec-iterator-types) yields _assertions_ that the clause holds at every point when the iterator is called.
+
+
+[^precision-requires-clause]: `dafny` actually breaks things down further. For example, a precondition `requires A && B` or an assert statement `assert A && B;` turns into two assertions, more or less like `requires A requires B` and `assert A; assert B;`.
+
+It is useful to mentally visualize all these assertions as a list that roughly follows the order in the code,
+except for `ensures` or `decreases` that generate assertions that seem earlier in the code but, for verification purposes, would be placed later.
+In this list, each assertion depends on other assertions, statements and expressions that appear earlier in the control flow[^complexity-path-encoding].
+
+[^complexity-path-encoding]: All the complexities of the execution paths (if-then-else, loops, goto, break....) are, down the road and for verification purposes, cleverly encoded with variables recording the paths and guarding assumptions made on each path. In practice, a second clever encoding of variables enables grouping many assertions together, and recovers which assertion is failing based on the value of variables that the SMT solver returns.
+
+The fundamental unit of verification in `dafny` is an _assertion batch_, which consists of one or more assertions from this "list", along with all the remaining assertions turned into assumptions. To reduce overhead, by default `dafny` collects all the assertions in the body of a given method into a single assertion batch that it sends to the verifier, which tries to prove it correct.
+
+* If the verifier says it is correct,[^smt-encoding] it means that all the assertions hold.
+* If the verifier returns a counterexample, this counterexample is used to determine both the failing assertion and the failing path.
+  In order to retrieve additional failing assertions, `dafny` will again query the verifier after turning previously failed assertions into assumptions.[^example-assertion-turned-into-assumption] [^caveat-about-assertion-and-assumption]
+* If the verifier returns `unknown` or times out, or even preemptively for difficult assertions or to reduce the chance that the verifier will ‘be confused’ by the many assertions in a large batch, `dafny` may partition the assertions into smaller batches[^smaller-batches]. An extreme case is the use of the `/vcsSplitOnEveryAssert` command-line option or the [`{:isolate_assertions}` attribute](#sec-isolate_assertions), which causes `dafny` to make one batch for each assertion.
+
+[^smt-encoding]: The formula sent to the underlying SMT solver is the negation of the formula that the verifier wants to prove - also called a VC or verification condition. Hence, if the SMT solver returns "unsat", it means that the SMT formula is always false, meaning the verifier's formula is always true. On the other side, if the SMT solver returns "sat", it means that the SMT formula can be made true with a special variable assignment, which means that the verifier's formula is false under that same variable assignment, meaning it's a counter-example for the verifier. In practice and because of quantifiers, the SMT solver will usually return "unknown" instead of "sat", but will still provide a variable assignment that it couldn't prove that it does not make the formula true. `dafny` reports it as a "counter-example" but it might not be a real counter-example, only provide hints about what `dafny` knows.
+
+[^example-assertion-turned-into-assumption]: This [post](https://github.com/dafny-lang/dafny/discussions/1898) gives an overview of how assertions are turned into assumptions for verification purposes.
+
+[^caveat-about-assertion-and-assumption]: Caveat about assertion and assumption: One big difference between an "assertion transformed in an assumption" and the original "assertion" is that the original "assertion" can unroll functions twice, whereas the "assumed assertion" can unroll them only once. Hence, `dafny` can still continue to analyze assertions after a failing assertion without automatically proving "false" (which would make all further assertions vacuous).
+
+[^smaller-batches]: To create a smaller batch, `dafny` duplicates the assertion batch, and arbitrarily transforms the clones of an assertion into assumptions except in exactly one batch, so that each assertion is verified only in one batch. This results in "easier" formulas for the verifier because it has less to prove, but it takes more overhead because every verification instance have a common set of axioms and there is no knowledge sharing between instances because they run independently.
+
+#### 13.7.3.1. Controlling assertion batches {#sec-assertion-batches-control}
+
+When Dafny verifies a symbol, such as a method, a function or a constant with a subset type, that verification may contain multiple assertions. A symbol is generally verified the fastest when all assertions it in are verified together, in what we call a single 'assertion batch'. However, is it possible to split verification of a symbol into multiple batches, and doing so makes the individual batches simpler, which can lead to less brittle verification behavior. Dafny contains several attributes that allow you to customize how verification is split into batches.
+
+Firstly, you can instruct Dafny to verify individual assertions in separate batches. You can place the `{:isolate}` attribute on a single assertion to place it in a separate batch, or you can place `{:isolate_assertions}` on a symbol, such as a function or method declaration, to place all assertions in it into separate batches. The CLI option `--isolate-assertions` will place all assertions into separate batches for all symbols. `{:isolate}` can be used on `assert`, `return` and `continue` statements. When placed on a `return` statement, it will verify the postconditions for all paths leading to that `return` in a separate batch. When placed on a `continue`, it will verify the loop invariants for all paths leading to that `continue` in a separate batch. 
+
+Given an assertion that is placed into a separate batch, you can then further simplify the verification of this assertion by placing each control flow path that leads to this assertion into a separate batch. You can do this using the attribute `{:isolate "paths"}`.
+
+### 13.7.4. Command-line options and other attributes to control verification {#sec-command-line-options-and-attributes-for-verification}
+
+There are many great options that control various aspects of verifying dafny programs. Here we mention only a few:
+
+- Control of output: [`/dprint`](#sec-controlling-output), [`/rprint`](#sec-controlling-output), `/stats`, [`/compileVerbose`](#sec-controlling-compilation)
+- Whether to print warnings: `/proverWarnings`
+- Control of time: `/timeLimit`
+- Control of resources: `/rLimit` and [`{:rlimit}`](#sec-rlimit)
+- Control of the prover used: `/prover`
+- Control of how many times to _unroll_ functions: [`{:fuel}`](#sec-fuel)
+
+You can search for them in [this file](https://dafny-lang.github.io/dafny/DafnyRef/DafnyRef) as some of them are still documented in raw text format.
+
+### 13.7.5. Analyzing proof dependencies {#sec-proof-dependencies}
+
+When Dafny successfully verifies a particular definition, it can ask the
+solver for information about what parts of the program were actually
+used in completing the proof. The program components that can
+potentially form part of  a proof include:
+
+* `assert` statements (and the implicit assumption that they hold in subsequent code),
+* implicit assertions (such as array or sequence bounds checks),
+* `assume` statements,
+* `ensures` clauses,
+* `requires` clauses,
+* function definitions,
+* method calls, and
+* assignment statements.
+
+Understanding what portions of the program the proof depended on can
+help identify mistakes, and to better understand the structure of your
+proof (which can help when optimizing it, among other things). In
+particular, there are two key dependency structures that tend to
+indicate mistakes, both focused on what parts of the program were _not_
+included in the proof.
+
+* Redundant assumptions. In some cases, a proof can be completed without
+  the need of certain `assume` statements or `requires` clauses. This
+  situation might represent a mistake, and when the mistake is corrected
+  those program elements may become required. However, they may also
+  simply be redundant, and the program will become simpler if they're
+  removed. Dafny will report assumptions of this form when verifying
+  with the flag `--warn-redundant-assumptions`. Note that `assert`
+  statements may be warned about, as well, indicating that the fact
+  proved by the assertion wasn't needed to prove anything else in the
+  program.
+
+* Contradictory assumptions. If the combination of all assumptions in
+  scope at a particular program point is contradictory, anything can be
+  proved at that point. This indicates the serious situation that,
+  unless done on purpose in a proof by contradiction, your proof may be
+  entirely vacuous. It therefore may not say what you intended, giving
+  you a false sense of confidence. The
+  `--warn-contradictory-assumptions` flag instructs Dafny to warn about
+  any assertion that was proved through the use of contradictions
+  between assumptions. If a particular `assert` statement is part of an
+  intentional proof by contradiction, annotating it with the
+  `{:contradiction}` attribute will silence this warning.
+
+These options can be specified in `dfyconfig.toml`, and this is typically the most convenient way to use them with the IDE.
+
+More detailed information is available using either the `--log-format
+text` or `--verification-coverage-report` option to `dafny verify`. The former will
+include a list of proof dependencies (including source location and
+description) alongside every assertion batch in the generated log
+whenever one of the two warning options above is also included. The
+latter will produce a highlighted HTML version of your source code, in
+the same format used by `dafny test --coverage-report`
+and `dafny generate-tests --verification-coverage-report`,
+indicating which parts of the program were used, not used, or partly
+used in the verification of the entire program.
+
+### 13.7.6. Debugging brittle verification {#sec-brittle-verification}
+
+When evolving a Dafny codebase, it can sometimes occur that a proof
+obligation succeeds at first only for the prover to time out or report a
+potential error after minor, valid changes. We refer to such a proof
+obligation as _brittle_. This is ultimately due to decidability
+limitations in the form of automated reasoning that Dafny uses. The Z3
+SMT solver that Dafny depends on attempts to efficiently search for
+proofs, but does so using both incomplete heuristics and a degree of
+randomness, with the result that it can sometimes fail to find a proof
+even when one exists (or continue searching forever).
+
+Dafny provides some features to mitigate this issue, primarily focused
+on early detection. The philosophy is that, if Dafny programmers are
+alerted to proofs that show early signs of brittleness, before they are
+obviously so, they can refactor the proofs to make them less brittle
+before further development becomes difficult.
+
+The mechanism for early detection focuses on measuring the resources
+used to discharge a proof obligation (either using duration or a more
+deterministic "resource count" metric available from Z3). Dafny can
+re-run a given proof attempt multiple times after automatically making
+minor changes to the structure of the input or to the random choices
+made by the solver.  If the resources used during these attempts (or the
+ability to find a proof at all) vary widely, we use this as a proxy
+metric indicating that the proof may be brittle.
+
+#### 13.7.6.1. Measuring proof brittleness
+
+To measure the brittleness of your proofs, start by using the `dafny
+measure-complexity` command with the `--iterations N` flag to instruct
+Dafny to attempt each proof goal `N` times, using a different random
+seed each time. The random seed used for each attempt is derived from
+the global random seed `S` specified with `-randomSeed:S`, which
+defaults to `0`. The random seed affects the structure of the SMT
+queries sent to the solver, changing the ordering of SMT commands, the
+variable names used, and the random seed the solver itself uses when
+making decisions that can be arbitrary.
+
+For most use cases, it also makes sense to specify the
+`--log-format csv` flag, to log verification cost statistics to a
+CSV file. By default, the resulting CSV files will be created in the
+`TestResults` folder of the current directory.
+
+Once Dafny has completed, the
+[`dafny-reportgenerator`](https://github.com/dafny-lang/dafny-reportgenerator/)
+tool is a convenient way to process the output. It allows you to specify
+several limits on statistics computed from the elapsed time or solver
+resource use of each proof goal, returning an error code when it detects
+violations of these limits. You can find documentation on the full set
+of options for `dafny-reportgenerator` in its
+[`README.md`](https://github.com/dafny-lang/dafny-reportgenerator/blob/main/README.md)
+file.
+
+In general, we recommend something like the following:
+
+<!-- %no-check -->
+```bash
+dafny-reportgenerator --max-resource-cv-pct 10 TestResults/*.csv
+```
+
+This bounds the [coefficient of
+variation](https://en.wikipedia.org/wiki/Coefficient_of_variation) of
+the solver resource count at 10% (0.10). We recommend a limit of less
+than 20%, perhaps even as low as 5%. However, when beginning to analyze
+a new project, it may be necessary to set limits as high as a few
+hundred percent and incrementally ratchet down the limit over time.
+
+When first analyzing proof brittleness, you may also find that certain proof
+goals succeed on some iterations and fail on others. If your aim is
+first to ensure that brittleness doesn't worsen and then to start
+reducing it, integrating `dafny-reportgenerator` into CI and using the
+`--allow-different-outcomes` flag may be appropriate. Then, once you've
+improved brittleness sufficiently, you can likely remove that flag (and
+likely have significantly lower limits on other metrics).
+
+#### 13.7.6.2. Improving proof brittleness
+
+Reducing proof brittleness is typically closely related to improving
+performance overall. As such, [techniques for debugging slow
+verification](#sec-verification-debugging-slow) are typically useful for
+debugging brittle proofs, as well. See also the
+[verification optimization
+guide](../VerificationOptimization/VerificationOptimization).
+
+## 13.8. Compilation {#sec-compilation}
+
+The `dafny` tool can compile a Dafny program to one of several target languages. Details and idiosyncrasies of each
+of these are described in the following subsections. In general note the following:
+
+- The compiled code originating from `dafny` can be combined with other source and binary code, but only the `dafny`-originated code is verified.
+- Output file or folder names can be set using `--output`.
+- Code generated by `dafny` requires a Dafny-specific runtime library.  By default the runtime is included in the generated code. However for `dafny translate` it is not
+included by default and must be explicitly requested using `--include-runtime`.  All runtime libraries are part of the Binary (`./DafnyRuntime.*`) and Source (`./Source/DafnyRuntime/DafnyRuntime.*`) releases.
+- Names in Dafny are written out as names in the target language. In some cases this can result in naming conflicts. Thus if a Dafny program is intended to be compiled to a target language X, you should avoid using Dafny identifiers that are not legal identifiers in X or that conflict with reserved words in X.
+
+To be compilable to an executable program, a Dafny program must contain a `Main` entry point, as described [here](#sec-user-guide-main).
+
+
+### 13.8.1.1 Built-in declarations {#sec-compilation-built-ins}
+
+Dafny includes several built-in types such as tuples, arrays, arrows (functions), and the `nat` subset type.
+The supporting target language code for these declarations could be emitted on-demand,
+but these could then become multiple definitions of the same symbols when compiling multiple components separately. 
+Instead, all such built-ins up to a pre-configured maximum size are included in most of the runtime libraries.
+This means that when compiling to certain target languages, the use of such built-ins above these maximum sizes,
+such as tuples with more than 20 elements, is not supported.
+See the [Supported features by target language](#sec-supported-features-by-target-language) table
+for the details on these limits.
+
+### 13.8.2. `extern` declarations {#sec-extern-decls}
+
+A Dafny declaration can be marked with the [`{:extern}`](#sec-extern) attribute to
+indicate that it refers to an external definition that is already
+present in the language that the Dafny code will be compiled to (or will
+be present by the time the final target-language program is compiled or
+run).
+
+Because the [`{:extern}`](#sec-extern) attribute controls interaction with code written
+in one of many languages, it has some language-specific behavior,
+documented in the following sections. However, some aspects are
+target-language independent and documented here.
+
+The attribute can also take several forms, each defining a different
+relationship between a Dafny name and a target language name. In the
+form [`{:extern}`](#sec-extern), the name of the external definition is
+assumed to be the name of the Dafny declaration after some
+target-specific name mangling. However, because naming conventions (and
+the set of allowed identifiers) vary between languages, Dafny allows
+additional forms for the `{:extern}` attribute.
+
+The form `{:extern <s1>}` instructs `dafny` to compile references to most
+declarations using the name `s1` instead of the Dafny name. For [abstract
+types](#sec-abstract-types), however, `s1` is sometimes used as a hint as
+to how to declare that type when compiling. This hint is interpreted
+differently by each compiler.
+
+Finally, the form `{:extern <s1>, <s2>}` instructs `dafny` to use `s2` as
+the direct name of the declaration. `dafny` will typically use a
+combination of `s1` and `s2`, such as `s1.s2`, to reference the
+declaration. It may also be the case that one of the arguments is simply
+ignored, depending on the target language.
+
+The recommended style is to prefer `{:extern}` when possible, and use
+similar names across languages. This is usually feasible because
+existing external code is expected to have the same interface as the
+code that `dafny` would generate for a declaration of that form. Because
+many Dafny types compile down to custom types defined in the Dafny
+runtime library, it's typically necessary to write wrappers by hand that
+encapsulate existing external code using a compatible interface, and
+those wrappers can have names chosen for compatibility. For example,
+retrieving the list of command line arguments when compiling to C\#
+requires a wrapper such as the following:
+
+```cs
+using icharseq = Dafny.ISequence<char>;
+using charseq = Dafny.Sequence<char>;
+
+namespace Externs_Compile {
+  public partial class __default {
+    public static Dafny.ISequence<icharseq> GetCommandLineArgs() {
+      var dafnyArgs = Environment
+                      .GetCommandLineArgs()
+                      .Select(charseq.FromString);
+      return Dafny.Sequence<icharseq>.FromArray(dafnyArgs.ToArray());
+    }
+}
+```
+
+This serves as an example of implementing an extern,
+but was only necessary to retrieve command line arguments historically,
+as `dafny` now supports capturing these arguments via a main method
+that accepts a `seq<string>` (see the section on the [Main method](#sec-user-guide-main)).
+
+Note that `dafny` does not check the arguments to `{:extern}`, so it is
+the user's responsibility to ensure that the provided names result in
+code that is well-formed in the target language.
+
+Also note that the interface the external code needs to implement
+may be affected by compilation flags. In this case, if `--unicode-char:true`
+is provided, `dafny` will compile its `char` type to the `Dafny.Rune`
+C# type instead, so the references to the C# type `char` above
+would need to be changed accordingly. The reference to `charseq.FromString`
+would in turn need to be changed to `charseq.UnicodeFromString` to
+return the correct type.
+
+Most declarations, including those for modules, classes, traits, member
+variables, constructors, methods, function methods, and abstract types,
+can be marked with `{:extern}`.
+
+Marking a module with `{:extern}` indicates that the declarations
+contained within can be found within the given module, namespace, package, or
+similar construct within the target language. Some members of the Dafny
+module may contain definitions, in which case code for those definitions
+will be generated. Whether this results in valid target code may depend
+on some target language support for something resembling "partial"
+modules, where different subsets of the contents are defined in
+different places.
+
+The story for classes is similar. Code for a class will be generated
+if any of its members are not `{:extern}`. Depending on the target
+language, making either all or none of the members `{:extern}` may be
+the only options that result in valid target code. Traits with
+`{:extern}` can refer to existing traits or interfaces in the target
+language, or can refer to the interfaces of existing classes.
+
+Member variables marked with `{:extern}` refer to fields or properties
+in existing target-language code. Constructors, methods, and functions
+refer to the equivalent concepts in the target language. They
+can have contracts, which are then assumed to hold for the existing
+target-language code. They can also have bodies, but the bodies will not
+be compiled in the presence of the `{:extern}` attribute. Bodies can
+still be used for reasoning, however, so may be valuable in some cases,
+especially for function methods.
+
+Types marked with `{:extern}` must be opaque. The name argument, if any,
+usually refers to the type name in the target language, but some
+compilers treat it differently.
+
+Detailed description of the `dafny build` and `dafny run` commands and 
+the `--input` option (needed when `dafny run` has more than one input file)
+is contained [in the section on command-line structure](#command-line).
+
+### 13.8.3. Replaceable modules
+To enable easily customising runtime behavior across an entire Dafny program, Dafny has placeholder modules. Here follows an example:
+
+<!-- %check-run -->
+```dafny
+replaceable module Foo {
+  method Bar() returns (i: int) 
+    ensures i >= 2
+}
+
+method Main() {
+  var x := Foo.Bar();
+  print x;
+}
+// At this point, the program can be verified but not run.
+
+module ConcreteFoo replaces Foo {
+  method Bar() returns (i: int) {
+    return 3; // Main will print 3.
+  }
+}
+// ConcreteFoo can be swapped out for different replacements of Foo, to customize runtime behavior.
+```
+
+When replacing a replaceable module, the same rules apply as when refining an abstract module. However, unlike an abstract module, a placeholder module can be used as if it is a concrete module. When executing code, using for example `dafny run` or `dafny translate`, any program that contains a placeholder module must also contain a replacement of this placeholder. When using `dafny verify`, placeholder modules do not have to be replaced.
+
+Replaceable modules are particularly useful for defining behavior that depends on which target language Dafny is translated to.
+
+### 13.8.4. C\#
+
+For a simple Dafny-only program, the translation step converts a `A.dfy` file into `A.cs`;
+the build step then produces a `A.dll`, which can be used as a library or as an executable (run using `dotnet A.dll`).
+
+It is also possible to run the dafny files as part of a `csproj` project, with these steps:
+- create a dotnet project file with the command `dotnet new console`
+- delete the `Program.cs` file
+- build the dafny program: `dafny build A.dfy`
+- run the built program `dotnet A.dll`
+
+The last two steps can be combined:
+`dafny run A.dfy`
+
+Note that all input `.dfy` files and any needed runtime library code are combined into a single `.cs` file, 
+which is then compiled by `dotnet` to a `.dll`.
+
+
+Examples of how to integrate C# libraries and source code with Dafny source code
+are contained in [this separate document](integration-cs/IntegrationCS).
+
+### 13.8.5. Java
+
+The Dafny-to-Java compiler translation phase writes out the translated files of a file _A_`.dfy`
+to a directory _A_`-java`. 
+The build phase writes out a library or executable jar file.
+The `--output` option (`-out` in the legacy CLI) can be used to choose a
+different jar file path and name and correspondingly different directory for .java and .class files. 
+
+The compiler produces a single wrapper method that then calls classes in 
+relevant other `.java` files. Because Java files must be named consistent
+with the class they contain, but Dafny files do not, there may be no relation
+between the Java file names and the Dafny file names.
+However, the wrapper class that contains the Java `main` method is named for
+the first `.dfy` file on the command-line.
+
+The step of compiling Java files (using `javac`) requires the Dafny runtime library. 
+That library is automatically included if dafny is doing the compilation,
+but not if dafny is only doing translation.
+
+Examples of how to integrate Java source code and libraries with Dafny source
+are contained in [this separate document](integration-java/IntegrationJava).
+
+### 13.8.6. Javascript
+
+The Dafny-to-Javascript compiler translates all the given `.dfy` files into a single `.js` file, 
+which can then be run using `node`. (Javascript has no compilation step). 
+The build and run steps are simply
+- `dafny build --target:js A.dfy`
+- `node A.js`
+
+Or, in one step,
+- `dafny run A.dfy`
+
+Examples of how to integrate Javascript libraries and source code with Dafny source
+are contained in [this separate document](integration-js/IntegrationJS).
+
+### 13.8.7. Go
+
+The Dafny-to-Go compiler translates all the given `.dfy` files into a single
+`.go` file in `A-go/src/A.go`; the output folder can be specified with the 
+`-out` option. For an input file `A.dfy` the default output folder is `A-go`. 
+Then, Dafny compiles this program and creates an `A.exe` executable in the same folder as `A.dfy`.
+Some system runtime code is also placed in `A-go/src`.
+The build and run steps are
+- `dafny build --target:go A.dfy`
+- `./A`
+
+The uncompiled code can be compiled and run by `go` itself using
+- ``(cd A-go; GO111MODULE=auto GOPATH=`pwd` go run src/A.go)``
+
+The one-step process is
+- `dafny run --target:go A.dfy`
+
+The `GO111MODULE` variable is used because Dafny translates to pre-module Go code.
+When the implementation changes to current Go, the above command-line will
+change, though the `./A` alternative will still be supported.
+
+Examples of how to integrate Go source code and libraries with Dafny source
+are contained in [this separate document](integration-go/IntegrationGo).
+
+### 13.8.8. Python
+
+The Dafny-to-Python compiler is still under development. However, simple
+Dafny programs can be built and run as follows. The Dafny-to-Python
+compiler translates the `.dfy` files into a single `.py` file along with 
+supporting runtime library code, all placed in the output location 
+(`A-py` for an input file A.dfy, by default).
+
+The build and run steps are
+- `dafny build --target:py A.dfy`
+- `python A-py/A.py`
+
+In one step:
+- `dafny run --target:py A.dfy`
+
+Examples of how to integrate Python libraries and source code with Dafny source
+are contained in [this separate document](integration-py/IntegrationPython).
+
+### 13.8.9. C++
+
+The C++ backend was written assuming that it would primarily support writing
+C/C++ style code in Dafny, which leads to some limitations in the current
+implementation.
+
+- The C++ compiler does not support BigIntegers, so do not use `int`, or raw instances of
+  `arr.Length`, or sequence length, etc. in executable code.  You can however,
+  use `arr.Length as uint64` if you can prove your array is an appropriate
+  size.  The compiler will report inappropriate integer use.
+- The C++ compiler does not support advanced Dafny features like traits or coinductive
+  types.
+- There is very limited support for higher order functions even for array initialization.  Use
+  extern definitions like newArrayFill (see 
+  [extern.dfy](https://github.com/dafny-lang/dafny/blob/master/Test/c++/extern.dfy)) or
+  similar.  See also the example in [`functions.dfy`]
+  (https://github.com/dafny-lang/dafny/blob/master/Test/c++/functions.dfy).
+- The current backend also assumes the use of C++17 in order to cleanly and
+  performantly implement datatypes.
+
+### 13.8.10. Supported features by target language {#sec-supported-features-by-target-language}
+
+Some Dafny features are not supported by every target language.
+The table below shows which features are supported by each backend.
+An empty cell indicates that a feature is not supported,
+while an X indicates that it is.
+
+{% include_relative Features.md %}
+
+## 13.9. Dafny Command Line Options {#sec-command-line-options}
+
+There are many command-line options to the `dafny` tool.
+The most current documentation of the options is within the tool itself,
+using the `-?` or `--help` or `-h` options.
+
+Remember that options are typically stated with either a leading `--`.
+
+Legacy options begin with either '-' or '/'; however they are being
+migrated to the POSIX-compliant `--` form as needed.
+
+### 13.9.1. Help and version information {#sec-controlling-help}
+
+These options emit general information about commands, options and attributes.
+When present, the dafny program will terminates after emitting the requested information
+but without processing any files.
+
+* `--help`, `-h` - shows the various commands (which have help information under them as `dafny <command> -h`
+
+* `--version` - show the version of the build
+
+Legacy options:
+
+* `-?` - print out the legacy list of command-line options
+  and terminate. All of these options are also described in this and
+  the following sections.
+
+* `-attrHelp` - print out the current list of supported attribute
+  declarations and terminate.
+
+* `-env:<n>` - print the command-line arguments supplied to the program.
+  The value of `<n>` can be one of the following.
+
+  * `0` - never print command-line arguments.
+
+  * `1` (default) - print them to Boogie (`.bpl`) files and prover logs.
+
+  * `2` - operate like with option `1` but also print to standard output.
+
+* `-wait` - wait for the user to press `Enter` before terminating after a successful execution.
+
+### 13.9.2. Controlling input {#sec-controlling-input}
+
+These options control how Dafny processes its input.
+
+* `-stdin` - read standard input and treat it as Dafny source code,
+  instead of reading from a file.
+
+* `--library:<files>` - treat the given files as _library_ code, namely, skip
+these files (and any files recursively included) during verification;
+the value may be a comma-separated-list of files or folders; folders are expanded into
+a list of all .dfy files contained, recursively, in those folders
+
+* `--prelude:<file>` (was `-dprelude`) - select an alternative Dafny prelude file. This
+  file contains Boogie definitions (including many axioms) required by
+  the translator from Dafny to Boogie. Using an alternative prelude is
+  primarily useful if you're extending the Dafny language or changing
+  how Dafny constructs are modeled. The default prelude is 
+  [here](https://github.com/dafny-lang/dafny/blob/master/Source/DafnyCore/DafnyPrelude.bpl).
+
+### 13.9.3. Controlling plugins {#sec-controlling-plugins}
+
+Dafny has a plugin capability. 
+A plugin has access to an AST of the dafny input files
+after all parsing and resolution are performed (but not verification)
+and also to the command-line options.
+
+This facility is still _experimental_ and very much in flux, particularly 
+the form of the AST. The best guides to writing a new plugin are
+(a) the documentation in [the section of this manual on plugins](#sec-plugins) 
+and (b) example plugins in the
+`src/Tools` folder of the `dafny-lang/compiler-bootstrap` repo.
+
+The value of the option `--plugin` is a path to a dotnet dll that contains
+the compiled plugin.
+
+### 13.9.4. Controlling output {#sec-controlling-output}
+
+These options instruct Dafny to print various information about your
+program during processing, including variations of the original source
+code (which can be helpful for debugging).
+
+* `--use-basename-for-filename` - when enabled, just the filename without the 
+directory path is used in error messages; this make error message shorter and 
+not tied to the local environment (which is a help in testing)
+
+* `--output`, `-o` - location of output files [translate, build]
+
+* `--show-snippets` - include with an error message some of the source code text
+in the neighborhood of the error; the error location (file, line, column) is always given
+
+* `--solver-log <file>` - [verification only] the file in which to place the SMT text sent to the solver
+
+* `--log-format <configuration>` - [verification only] (was `-verificationLogger:<configuration string>`)
+  log verification
+  results to the given test result logger. The currently supported
+  loggers are `trx`, `csv`, and `text`. These are the XML-based formats
+  commonly used for test results for .NET languages, a custom CSV
+  schema, and a textual format meant for human consumption,
+  respectively. You can provide configuration using the same string
+  format as when using the `--logger` option for dotnet test, such as:
+
+        -verificationLogger:trx;LogFileName=<...>
+
+  The exact mapping of verification concepts to these formats is
+  experimental and subject to change!
+
+  The `trx` and `csv` loggers automatically choose an output file name
+  by default, and print the name of this file to the console. The `text`
+  logger prints its output to the console by default, but can send
+  output to a file given the `LogFileName` option.
+
+  The `text` logger also includes a more detailed breakdown of what
+  assertions appear in each assertion batch. When combined with the
+  `-vcsSplitOnEveryAssert` option, it will provide approximate time and
+  resource use costs for each assertion, allowing identification of
+  especially expensive assertions.
+
+
+Legacy options:
+
+* `-stats` - print various statistics about the Dafny files supplied on
+  the command line. The statistics include the number of total
+  functions, recursive functions, total methods, ghost methods, classes,
+  and modules. They also include the maximum call graph width and the
+  maximum module height.
+
+* `-dprint:<file>` - print the Dafny program after parsing (use `-` for
+  `<file>` to print to the console).
+
+* `-rprint:<file>` - print the Dafny program after type resolution (use
+  `-` for `<file>` to print to the console).
+
+* `-printMode:<Everything|DllEmbed|NoIncludes|NoGhost>` - select what to
+  include in the output requested by `-dprint` or `-rprint`. The
+  argument can be one of the following.
+
+  * `Everything` (default) - include everything.
+
+  * `DllEmbed`- print the source that will be included in a compiled DLL.
+
+  * `NoIncludes` - disable printing of methods incorporated via the
+    include mechanism that have the `{:verify false}` attribute, as well
+    as datatypes and fields included from other files.
+
+  * `NoGhost` - disables printing of functions, ghost methods, and proof
+    statements in implementation methods. Also disable anything
+    `NoIncludes` disables.
+
+* `-printIncludes:<None|Immediate|Transitive>` - select what information
+  from included files to incorporate into the output selected by
+  `-dprint` or `-rprint`. The argument can be one of the following.
+
+  * `None` (default) - don't print anything from included files.
+
+  * `Immediate` - print files directly included by files specified on
+    the command line. Exit after printing.
+
+  * `Transitive` - print files transitively included by files specified
+    on the command line. Exit after printing.
+
+* `-view:<view1, view2>` - this option limits what is printed by /rprint
+  for a module to the names that are part of the given export set;
+  the option argument is a comma-separated list of fully-qualified export
+  set names.
+
+* `-funcCallGraph` - print out the function call graph. Each line has
+  the format `func,mod=callee*`, where `func` is the name of a function,
+  `mod` is the name of its containing module, and `callee*` is a
+  space-separated list of the functions that `func` calls.
+
+* `--show-snippets` (was `-showSnippets:<n>` ) - show a source code snippet for each Dafny
+  message. The legacy option was `-showSnippets` with values 0 and 1 for false and true.
+
+
+* `-printTooltips` - dump additional positional information (displayed
+  as mouse-over tooltips by LSP clients) to standard output as `Info`
+  messages.
+
+* `-pmtrace` - print debugging information from the pattern-match
+  compiler.
+
+* `-titrace` - print debugging information during the type inference
+  process.
+
+* `-diagnosticsFormat:<text|json>` - control how to report errors, warnings, and info
+  messages.  `<fmt>` may be one of the following:
+
+  * `text` (default): Report diagnostics in human-readable format.
+  * `json`: Report diagnostics in JSON format, one object per diagnostic, one
+    diagnostic per line.  Info-level messages are only included with
+    `-printTooltips`.  End positions are only included with `-showSnippets:1`.
+    Diagnostics are the following format (but without newlines):
+
+    ```json
+    {
+      "location": {
+        "filename": "xyz.dfy",
+        "range": { // Start and (optional) end of diagnostic
+          "start": {
+            "pos": 83, // 0-based character offset in input
+            "line": 6, // 1-based line number
+            "character": 0 // 0-based column number
+          },
+          "end": { "pos": 86, "line": 6, "character": 3 }
+        }
+      },
+      "severity": 2, // 1: error; 2: warning; 4: info
+      "message": "module-level const declarations are always non-instance ...",
+      "source": "Parser",
+      "relatedInformation": [ // Additional messages, if any
+        {
+          "location": { ... }, // Like above
+          "message": "...",
+        }
+      ]
+    }
+    ```
+
+### 13.9.5. Controlling language features {#sec-controlling-language}
+
+These options allow some Dafny language features to be enabled or
+disabled. Some of these options exist for backward compatibility with
+older versions of Dafny.
+
+* `--default-function-opacity:<transparent|autoRevealDependencies|opaque>` - Change the default opacity of functions.
+  * `transparent` (default) means functions are transparent, can be manually made opaque and then revealed.
+  * `autoRevealDependencies` makes all functions not explicitly labelled as opaque to be opaque but reveals them automatically in scopes which do not have `{:autoRevealDependencies false}`.
+  * `opaque` means functions are always opaque so the opaque keyword is not needed, and functions must be revealed everywhere needed for a proof.
+
+* `--function-syntax` (value '3' or '4') - permits a choice of using the Dafny 3 syntax (`function` and `function method`)
+or the Dafny 4 syntax (`ghost function` and `function`)
+
+* `--quantifier-syntax` (value '3' or '4') - permits a choice between the Dafny 3 and Dafny 4 syntax for quantifiers
+
+* `--unicode-char` - if false, the `char` type represents any UTF-16 code unit,
+  that is, any 16-bit value, including surrogate code points and
+  allows `\uXXXX` escapes in string and character literals.
+  If true, `char` represents any Unicode scalar value,
+  that is, any Unicode code point excluding surrogates and
+  allows `\U{X..X}` escapes in string and character literals. 
+  The default is false for Dafny version 3 and true for version 4.
+  The legacy option was `-unicodeChar:<n>` with values 0 and 1 for
+  false and true above.
+
+Legacy options:
+
+* `-noIncludes` - ignore `include` directives in the program.
+
+* `-noExterns` - ignore `extern` attributes in the program.
+
+<a id="sec-function-syntax"/>
+
+* `--function-syntax:<version>` (was `-functionSyntax:<version>` ) - select what function syntax to
+  recognize. The syntax for functions is changing from Dafny version 3
+  to version 4. This switch gives early access to the new syntax, and
+  also provides a mode to help with migration. The valid arguments
+  include the following.
+
+  * `3` (default) - compiled functions are written `function method` and
+    `predicate method`. Ghost functions are written `function` and
+    `predicate`.
+
+  * `4` - compiled functions are written `function` and `predicate`.
+    Ghost functions are written `ghost function` and `ghost predicate`.
+
+  * `migration3to4` - compiled functions are written `function method`
+    and `predicate method`. Ghost functions are written `ghost function`
+    and `ghost predicate`. To migrate from version 3 to version 4, use
+    this flag on your version 3 program to flag all occurrences of
+    `function` and `predicate` as parsing errors. These are ghost
+    functions, so change those into the new syntax `ghost function` and
+    `ghost predicate`. Then, start using \
+    `-functionSyntax:4`. This will
+    flag all occurrences of `function method` and `predicate method` as
+    parsing errors. So, change those to just `function` and `predicate`.
+    As a result, your program will use version 4 syntax and have the
+    same meaning as your previous version 3 program.
+
+  * `experimentalDefaultGhost` - like `migration3to4`, but allow
+    `function` and `predicate` as alternatives to declaring ghost
+    functions and predicates, respectively
+
+  * `experimentalDefaultCompiled` - like `migration3to4`, but allow
+    `function` and `predicate` as alternatives to declaring compiled
+    functions and predicates, respectively
+
+  * `experimentalPredicateAlwaysGhost` - compiled functions are written
+    `function`. Ghost functions are written `ghost function`. Predicates
+    are always ghost and are written `predicate`.
+
+  This option can also be set locally (at the module level) using the `:options`
+  attribute:
+
+<!-- %check-verify -->
+  ```dafny
+  module {:options "--function-syntax:4"} M {
+    predicate CompiledPredicate() { true }
+  }
+  ```
+
+* `--quantifier-syntax:<version>` (was `-quantifierSyntax:<version>` ) - select what quantifier syntax to recognize.
+    The syntax for quantification domains is changing from Dafny version 3 to version 4,
+    more specifically where quantifier ranges (`| <Range>`) are allowed.
+    This switch gives early access to the new syntax.
+
+    * `3` (default) - Ranges are only allowed after all quantified variables are declared.
+        (e.g. `set x, y | 0 <= x < |s| && y in s[x] && 0 <= y :: y`)
+    * `4` - Ranges are allowed after each quantified variable declaration.
+        (e.g. `set x | 0 <= x < |s|, y <- s[x] | 0 <= y :: y`)
+
+    Note that quantifier variable domains (`<- <Domain>`) are available
+    in both syntax versions.
+
+* `-disableScopes` - treat all export sets as `export reveal *` to never
+    hide function bodies or type definitions during translation.
+
+* `-allowsGlobals` - allow the implicit class `_default` to contain
+  fields, instance functions, and instance methods. These class members
+  are declared at the module scope, outside of explicit classes. This
+  command-line option is provided to simplify a transition from the
+  behavior in the language prior to version 1.9.3, from which point
+  onward all functions and methods declared at the module scope are
+  implicitly static and field declarations are not allowed at the
+  module scope.
+
+### 13.9.6. Controlling warnings {#sec-controlling-warnings}
+
+These options control what warnings Dafny produces, and whether to treat
+warnings as errors.
+
+* `--warn-as-errors` (was `-warningsAsErrors`) - treat warnings as errors.
+
+* `--warn-shadowing` (was `-warnShadowing`) - emit a warning if the name 
+  of a declared variable caused another variable to be shadowed.
+
+* `--warn-missing-constructor-parentheses` - warn if a constructor name in a pattern might be misinterpreted
+
+Legacy options
+
+* `-deprecation:<n>` - control warnings about deprecated features. The
+  value of `<n>` can be any of the following.
+
+   * `0` - don't issue any warnings.
+
+   * `1` (default) - issue warnings.
+
+   * `2` - issue warnings and advise about alternate syntax.
+
+### 13.9.7. Controlling verification {#sec-controlling-verification}
+
+These options control how Dafny verifies the input program, including
+how much it verifies, what techniques it uses to perform verification,
+and what information it produces about the verification process.
+
+* `--no-verify` - turns off verification (for translate, build, run commands)
+
+* `--verify-included-files` (was `-verifyAllModules`) - verify modules that come from include directives.
+
+  By default, Dafny only verifies files explicitly listed on the command
+  line: if `a.dfy` includes `b.dfy`, a call to `Dafny a.dfy` will detect
+  and report verification errors from `a.dfy` but not from `b.dfy`.
+
+  With this option, Dafny will instead verify everything: all input
+  modules and all their transitive dependencies. This way `Dafny a.dfy`
+  will verify `a.dfy` and all files that it includes (here `b.dfy`), as
+  well all files that these files include, etc.
+
+  Running Dafny with this option on the file containing your
+  main result is a good way to ensure that all its dependencies verify.
+
+
+* `--track-print-effects` - If true, a compiled method, constructor, or 
+   iterator is allowed to have print effects only if it is marked with 
+   {{:print}}. (default false)
+   The legacy option was `-trackPrintEffects:<n>`) with values 0 or 1
+   for false and true.
+
+* `--relax-definite-assignment` - control the rules governing definite
+  assignment, the property that every variable is eventually assigned a
+  value before it is used.
+  * if false (default), enforce definite-assignment for all non-yield-parameter
+    variables and fields, regardless of their types
+  * if false and `--enforce-determinism` is true, then also performs 
+    checks in the compiler that no nondeterministic statements are used
+  * if true, enforce definite-assignment rules for compiled
+    variables and fields whose types do not support auto-initialization
+    and for ghost variables and fields whose type is possibly empty.
+
+* `--disable-nonlinear-arithmetic` (was `-noNLarith`) - reduce 
+  Z3's knowledge of non-linear arithmetic (the
+  operators `*`, `/`, and `%`). Enabling this option will typically
+  require more manual work to complete proofs (by explicitly applying
+  lemmas about non-linear operators), but will also result in more
+  predictable behavior, since Z3 can sometimes get stuck down an
+  unproductive path while attempting to prove things about those
+  operators. (This option will perhaps be replaced by `-arith` in the
+  future. For now, it takes precedence over `-arith`.)
+
+  The behavior of `disable-nonlinear-arithmetic` can be turned on and off on a per-module basis 
+  by placing the attribute [`{:disable-nonlinear-arithmetic}`](#sec-disable-nonlinear-arithmetic) after the module keyword.
+  The attribute optionally takes the value `false` to enable nonlinear arithmetic.
+
+* `--manual-lemma-induction` - disables automatic inducntion for lemmas
+
+* `--isolate-assertions` - verify assertions individually
+
+* `--extract-counterexample` - if verification fails, report a potential
+  counterexample as a set of assumptions that can be inserted into the code.
+  Note that Danfy cannot guarantee that the counterexample
+  it reports provably violates the assertion or that the assumptions are not
+  mutually inconsistent (see [^smt-encoding]), so this output should be inspected manually and treated as a hint.
+
+Controlling the proof engine:
+
+* `--cores:<n>` - sets the number or percent of the available cores to be used for verification
+* `--verification-time-limit <seconds>` - imposes a time limit on each verification attempt
+* `--verification-error-limit <number>` - limits the number of verification errors reported (0 is no limit)
+* `--resource-limit` - states a resource limit (to be used by the backend solver)
+
+Legacy options:
+
+* `-dafnyVerify:<n>` [discouraged] - turn verification of the program on or off. The
+  value of `<n>` can be any of the following.
+
+  * `0` - stop after type checking.
+
+  * `1` - continue on to verification and compilation.
+
+
+* `-separateModuleOutput` - output verification results for each module
+  separately, rather than aggregating them after they are all finished.
+
+* `-mimicVerificationOf:<dafny version>` - let `dafny` attempt to mimic
+  the verification behavior of a previous version of `dafny`. This can be
+  useful during migration to a newer version of `dafny` when a Dafny
+  program has proofs, such as methods or lemmas, that are highly variable in
+  the sense that their verification may become slower or fail altogether
+  after logically irrelevant changes are made in the verification input.
+
+  Accepted versions are: `3.3`. Note that falling back on the behavior
+  of version 3.3 turns off features that prevent certain classes of
+  verification variability.
+
+* `-noCheating:<n>` - control whether certain assumptions are allowed.
+  The value of `<n>` can be one of the following.
+
+  * `0` (default) - allow `assume` statements and free invariants.
+
+  * `1` - treat all assumptions as `assert` statements, and drop free
+    invariants.
+
+* `-induction:<n>` - control the behavior of induction. The value of
+  `<n>` can be one of the following.
+
+  * `0` - never do induction, not even when attributes request it.
+
+  * `1` - apply induction only when attributes request it.
+
+  * `2` - apply induction as requested (by attributes) and also for
+    heuristically chosen quantifiers.
+
+  * `3` - apply induction as requested, and for heuristically chosen
+    quantifiers and lemmas.
+
+  * `4` (default) - apply induction as requested, and for all lemmas.
+
+* `-inductionHeuristic:<n>` - control the heuristics used for induction.
+  The value of `<n>` can be one of the following.
+
+  * `0` - use the least discriminating induction heuristic (that is,
+    lean toward applying induction more often).
+
+  * `1`, `2`, `3`, `4`, `5` - use an intermediate heuristic, ordered as
+    follows as far as how discriminating they are: 0 < 1 < 2 < (3,4) < 5
+    < 6.
+
+  * `6` (default) - use the most discriminating induction heuristic.
+
+* `-allocated:<n>` - specify defaults for where Dafny should assert and
+  assume `allocated(x)` for various parameters `x`, local variables `x`,
+  bound variables `x`, etc. Lower `<n>` may require more manual
+  `allocated(x)` annotations and thus may be more difficult to use. The
+  value of `<n>` can be one of the following.
+
+  * `0` - never assume or assert `allocated(x)` by default.
+
+  * `1` - assume `allocated(x)` only for non-ghost variables and fields.
+    (These assumptions are free, since non-ghost variables always
+    contain allocated values at run-time.) This option may speed up
+    verification relative to `-allocated:2`.
+
+  * `2` - assert/assume `allocated(x)` on all variables, even bound
+    variables in quantifiers. This option is the easiest to use for code
+    that uses the heap heavily.
+
+  * `3` - (default) make frugal use of heap parameters.
+
+  * `4` - like `3` but add `allocated` antecedents when ranges don't imply
+    allocatedness.
+
+  Warning: this option should be chosen consistently across an entire
+  project; it would be unsound to use different defaults for different
+  files or modules within a project. Furthermore, modes `-allocated:0` and
+  `-allocated:1` let functions depend on the allocation state, which is
+  not sound in general.
+
+* `-noAutoReq` - ignore `autoReq` attributes, and therefore do not
+  automatically generate `requires` clauses.
+
+* `-autoReqPrint:<file>` - print the requires clauses that were
+  automatically generated by `autoReq` to the given `<file>`.
+
+* `-arith:<n>` - control how arithmetic is modeled during verification.
+  This is an experimental switch, and its options may change. The value
+  of `<n>` can be one of the following.
+
+  * `0` - use Boogie/Z3 built-ins for all arithmetic operations.
+
+  * `1` (default) - like `0`, but introduce symbolic synonyms for `*`,
+    `/`, and `%`, and allow these operators to be used in triggers.
+
+  * `2` - like `1`, but also introduce symbolic synonyms for `+` and
+    `-`.
+
+  * `3` - turn off non-linear arithmetic in the SMT solver. Still use
+    Boogie/Z3 built-in symbols for all arithmetic operations.
+
+  * `4` - like `3`, but introduce symbolic synonyms for `*`, `/`, and `%`,
+    and allow these operators to be used in triggers.
+
+  * `5` - like `4`, but also introduce symbolic synonyms for `+` and
+    `-`.
+
+  * `6` - like `5`, and introduce axioms that distribute `+` over `*`.
+
+  * `7` - like `6`, and introduce facts about the associativity of
+    literal arguments over `*`.
+
+  * `8` - like `7`, and introduce axioms for the connection between `*`,
+    `/`, and `%`.
+
+  * `9` - like `8`, and introduce axioms for sign of multiplication.
+
+  * `10` - like `9`, and introduce axioms for commutativity and
+    associativity of `*`.
+
+* `-autoTriggers:<n>` - control automatic generation of `{:trigger}`
+  annotations. See [triggers](#sec-trigger). The value of `<n>` can be one
+  of the following.
+
+  * `0` - do not generate `{:trigger}` annotations for user-level
+    quantifiers.
+
+  * `1` (default) - add a `{:trigger}` annotation to each user-level
+    quantifier. Existing annotations are preserved.
+
+* `-rewriteFocalPredicates:<n>` - control rewriting of predicates in the
+  body of prefix lemmas. See [the section about nicer extreme proofs](#sec-nicer-proofs-of-extremes).
+  The value of `<n>` can be one of the following.
+
+  * `0` - don't rewrite predicates in the body of prefix lemmas.
+
+  * `1` (default) - in the body of prefix lemmas, rewrite any use of a
+    focal predicate `P` to `P#[_k-1]`.
+
+### 13.9.8. Controlling compilation {#sec-controlling-compilation}
+
+These options control what code gets compiled, what target language is
+used, how compilation proceeds, and whether the compiled program is
+immediately executed.
+
+* `--target:<s>` or `-t:<s>` (was `-compileTarget:<s>`) - set the target programming language for the
+  compiler. The value of `<s>` can be one of the following.
+
+   * `cs` - C\# . Produces a .dll file that can be run using `dotnet`.
+      For example, `dafny Hello.dfy` will produce `Hello.dll` and `Hello.runtimeconfig.json`.
+      The dll can be run using `dotnet Hello.dll`.
+
+   * `go` - Go. The default output of `dafny Hello.dfy -compileTarget:go` is
+      in the `Hello-go` folder. It is run using
+      ``GOPATH=`pwd`/Hello-go/ GO111MODULE=auto go run Hello-go/src/Hello.go``
+
+   * `js` - Javascript. The default output of `dafny Hello.dfy -compileTarget:js` is
+      the file `Hello.js`, which can be run using `node Hello.js`. (You must have 
+      `bignumber.js` installed.)
+
+   * `java` - Java. The default output of `dafny Hello.dfy -compileTarget:java` is
+      in the `Hello-java` folder. The compiled program can be run using
+      `java -cp Hello-java:Hello-java/DafnyRuntime.jar Hello`.
+
+   * `py` - Python. The default output of `dafny Hello.dfy -compileTarget:py` is
+      in the `Hello-py` folder. The compiled program can be run using
+      `python Hello-py/Hello.py`, where `python` is Python version 3.
+
+   * `cpp` - C++. The default output of `dafny Hello.dfy -compileTarget:cpp` is
+      `Hello.exe` and other files written to the current folder. The compiled
+      program can be run using `./Hello.exe`.
+
+* `--input <file>` - designates files to be include in the compilation in addition to the main file in
+  `dafny run`; these may be non-.dfy files; this option may be specified more than once
+
+* `--output:<file>` or `-o:<file>` (was `-out:<file>`) - set the name to use for compiled code files.
+
+By default, `dafny` reuses the name of the Dafny file being compiled.
+Compilers that generate a single file use the file name as-is (e.g. the
+C# backend will generate `<file>.dll` and optionally `<file>.cs` with
+`-spillTargetCode`). Compilers that generate multiple files use the file
+name as a directory name (e.g. the Java backend will generate files in
+directory `<file>-java/`). Any file extension is ignored, so
+`-out:<file>` is the same as `-out:<file>.<ext>` if `<file>` contains no
+periods.
+
+* `--include-runtime` - include the runtime library for the target language in
+  the generated artifacts. This is true by default for build and run, 
+  but false by default for translate. The legacy option `-useRuntimeLib` had the 
+  opposite effect: when enabled, the compiled assembly referred to
+  the pre-built `DafnyRuntime.dll` in the
+  compiled assembly rather than including `DafnyRuntime.cs` in the build
+  process. 
+
+
+Legacy options:
+
+* `-compile:<n>` -  [obsolete - use `dafny build` or `dafny run`] control whether compilation 
+   happens. The value of
+  `<n>` can be one of the following. Note that if the program is 
+   compiled, it will be compiled to the target language determined by
+   the `-compileTarget` option, which is C\# by default.
+
+   * `0` - do not compile the program
+
+   * `1` (default) - upon successful verification, compile the program
+     to the target language.
+
+   * `2` - always compile, regardless of verification success.
+
+   * `3` - if verification is successful, compile the program (like
+     option `1`), and then if there is a `Main` method, attempt to run the
+     program.
+
+   * `4` - always compile (like option `2`), and then if there is a
+     `Main` method, attempt to run the program.
+
+* `-spillTargetCode:<n>` - [obsolete - use `dafny translate`) control whether to write out compiled code in
+  the target language (instead of just holding it in internal temporary
+  memory). The value of `<n>` can be one of the following.
+
+   * `0` (default) - don't make any extra effort to write the textual
+     target program (but still compile it, if `-compile` indicates to do
+     so).
+
+   * `1` - write it out to the target language, if it is being compiled.
+
+   * `2` - write the compiled program if it passes verification,
+     regardless of the `-compile` setting.
+
+   * `3` - write the compiled program regardless of verification success
+     and the `-compile` setting.
+
+Note that some compiler targets may (always or in some situations) write
+out the textual target program as part of compilation, in which case
+`-spillTargetCode:0` behaves the same way as `-spillTargetCode:1`.
+
+* `-Main:<name>` - specify the (fully-qualified) name of the method to
+  use as the executable entry point. The default is the method with the
+  `{:main}` attribute, or else the method named `Main`.
+
+* `-compileVerbose:<n>` - control whether to write out compilation
+  progress information. The value of `<n>` can be one of the following.
+
+  * `0` - do not print any information (silent mode)
+
+  * `1` (default) - print information such as the files being created by
+    the compiler
+
+* `-coverage:<file>` - emit branch-coverage calls and outputs into
+  `<file>`, including a legend that gives a description of each
+  source-location identifier used in the branch-coverage calls. (Use `-`
+  as `<file>` to print to the console.)
+
+* `-optimize` - produce optimized C# code by passing the `/optimize`
+  flag to the `csc` executable.
+
+* `-optimizeResolution:<n>` - control optimization of method target
+  resolution. The value of `<n>` can be one of the following.
+
+  * `0` - resolve and translate all methods.
+
+  * `1` - translate methods only in the call graph of the current
+    verification target.
+
+  * `2` (default) - as in `1`, but resolve only methods that are defined
+    in the current verification target file, not in included files.
+
+
+* `-testContracts:<mode>` - test certain function and method contracts
+  at runtime. This works by generating a wrapper for each function or
+  method to be tested that includes a sequence of `expect` statements
+  for each requires clause, a call to the original, and sequence of
+  `expect` statements for each `ensures` clause. This is particularly
+  useful for code marked with the `{:extern}` attribute and implemented
+  in the target language instead of Dafny. Having runtime checks of the
+  contracts on such code makes it possible to gather evidence that the
+  target-language code satisfies the assumptions made of it during Dafny
+  verification through mechanisms ranging from manual tests through
+  fuzzing to full verification. For the latter two use cases, having
+  checks for `requires` clauses can be helpful, even if the Dafny
+  calling code will never violate them.
+
+  The `<mode>` parameter can currently be one of the following.
+
+  * `Externs` - insert dynamic checks when calling any function or
+    method marked with the `{:extern}` attribute, wherever the call
+    occurs.
+
+  * `TestedExterns` - insert dynamic checks when calling any function or
+    method marked with the `{:extern}` attribute directly from a
+    function or method marked with the `{:test}` attribute.
+
+### 13.9.9. Controlling Boogie {#sec-controlling-boogie}
+
+Dafny builds on top of Boogie, a general-purpose intermediate language
+for verification. Options supported by Boogie on its own are also
+supported by Dafny. Some of the Boogie options most relevant to Dafny
+users include the following. We use the term "procedure" below to refer
+to a Dafny function, lemma, method, or predicate, following Boogie
+terminology.
+
+* `--solver-path` - specifies a custom SMT solver to use
+
+* `--solver-plugin` - specifies a plugin to use as the SMT solver, instead of an external pdafny translaterocess
+
+* `--boogie` - arguments to send to boogie
+
+Legacy options:
+
+* `-proc:<name>` - verify only the procedure named `<name>`. The name
+  can include `*` to indicate arbitrary sequences of characters.
+
+* `-trace` - print extra information during verification, including
+  timing, resource use, and outcome for each procedure incrementally, as
+  verification finishes.
+
+* `-randomSeed:<n>` - turn on randomization of the input that Boogie
+  passes to the SMT solver and turn on randomization in the SMT solver
+  itself.
+
+  Certain Boogie inputs cause proof variability in the sense that changes to the
+  input that preserve its meaning may cause the output to change. The
+  `-randomSeed` option simulates meaning-preserving changes to the
+  input without requiring the user to actually make those changes.
+
+  The `-randomSeed` option is implemented by renaming variables and
+  reordering declarations in the input, and by setting
+  solver options that have similar effects.
+
+* `-randomSeedIterations:<n>` - attempt to prove each VC `<n>` times
+  with `<n>` random seeds. If `-randomSeed` has been provided, each
+  proof attempt will use a new random seed derived from this original
+  seed. If not, it will implicitly use `-randomSeed:0` to ensure a
+  difference between iterations. This option can be very useful for
+  identifying input programs for which verification is highly variable. If the
+  verification times or solver resource counts associated with each
+  proof attempt vary widely for a given procedure, small changes to that
+  procedure might be more likely to cause proofs to fail in the future.
+
+* `-vcsSplitOnEveryAssert` - prove each (explicit or implicit) assertion
+  in each procedure separately. See also the attribute
+  [`{:isolate_assertions}`](#sec-isolate_assertions) for
+  restricting this option on specific procedures. By default, Boogie
+  attempts to prove that every assertion in a given procedure holds all
+  at once, in a single query to an SMT solver. This usually performs
+  well, but sometimes causes the solver to take longer. If a proof that
+  you believe should succeed is timing out, using this option can
+  sometimes help.
+
+* `-timeLimit:<n>` - spend at most `<n>` seconds attempting to prove any
+  single SMT query. This setting can also be set per method using the
+  attribute [`{:timeLimit n}`](#sec-time-limit).
+
+* `-rlimit:<n>` - set the maximum solver resource count to use while
+  proving a single SMT query. This can be a more deterministic approach
+  than setting a time limit. To choose an appropriate value, please
+  refer to the documentation of the attribute [`{:rlimit}`](#sec-rlimit)
+  that can be applied per procedure.
+
+* `-print:<file>` - print the translation of the Dafny file to a Boogie file.
+
+If you have Boogie installed locally, you can run the printed Boogie file with the following script:
+
+```bash
+DOTNET=$(which dotnet)
+
+BOOGIE_ROOT="path/to/boogie/Source"
+BOOGIE="$BOOGIE_ROOT/BoogieDriver/bin/Debug/net8.0/BoogieDriver.dll"
+
+if [[ ! -x "$DOTNET" ]]; then
+    echo "Error: Dafny requires .NET Core to run on non-Windows systems."
+    exit 1
+fi
+
+#Uncomment if you prefer to use the executable instead of the DLL
+#BOOGIE=$(which boogie)
+
+BOOGIE_OPTIONS="/infer:j"
+PROVER_OPTIONS="\
+  /proverOpt:O:auto_config=false \
+  /proverOpt:O:type_check=true \
+  /proverOpt:O:smt.case_split=3 \
+  /proverOpt:O:smt.qi.eager_threshold=100 \
+  /proverOpt:O:smt.delay_units=true \
+  /proverOpt:O:smt.arith.solver=2 \
+  "
+
+"$DOTNET" "$BOOGIE" $BOOGIE_OPTIONS $PROVER_OPTIONS "$@"
+#Uncomment if you want to use the executable instead of the DLL
+#"$BOOGIE" $BOOGIE_OPTIONS $PROVER_OPTIONS "$@"
+```
+
+### 13.9.10. Controlling the prover {#sec-controlling-prover}
+
+Much of controlling the prover is accomplished by controlling 
+verification condition generation ([25.9.7](#sec-controlling-verification)) or Boogie 
+([Section 13.9.9](#sec-controlling-boogie)). 
+The following options are also commonly used:
+
+* `--verification-error-limit:<n>` - limits the number of verification errors reported per procedure.
+  Default is 5; 0 means as many as possible; a small positive number runs faster
+  but a large positive number reports more errors per run
+
+* `--verification-time-limit:<n>` (was `-timeLimit:<n>`) - limits 
+  the number of seconds spent trying to verify each assertion batch.
+
+
+### 13.9.11. Controlling test generation {#sec-controlling-test-gen}
+
+Dafny is capable of generating unit (runtime) tests. It does so by asking the prover to solve
+for values of inputs to a method that cause the program to execute specific blocks or paths.
+A detailed description of how to do this is given in
+[a separate document](https://github.com/dafny-lang/dafny/blob/master/Source/DafnyTestGeneration/README.md).
+
diff --git a/v4.10.0/DafnyRef/VSCodeIDE.md b/v4.10.0/DafnyRef/VSCodeIDE.md
new file mode 100644
index 0000000..c4b73f4
--- /dev/null
+++ b/v4.10.0/DafnyRef/VSCodeIDE.md
@@ -0,0 +1,158 @@
+# 14. Dafny VSCode extension and the Dafny Language Server {#sec-dafny-language-server-vscode}
+
+## 14.1. Dafny functionality within VSCode
+
+There is a language server for Dafny, which [implements](https://github.com/dafny-lang/dafny/tree/master/Source/DafnyLanguageServer) the [Language Server Protocol](https://microsoft.github.io/language-server-protocol/).
+This server is used by the Dafny VSCode Extension; it currently offers the following features:
+- Quick syntax highlighting
+- As-you-type parsing, resolution and verification diagnostics
+- Support for [Dafny plugins](https://github.com/dafny-lang/dafny/tree/master/Source/DafnyLanguageServer#plugins)
+- Expanded explanations (in addition to the error message) for selected errors (and more being added), shown by hovering
+- Quick fixes for selected errors (and more being added)
+- Limited support for symbol completion
+- Limited support for code navigation
+- Counter-example display
+- Highlighting of ghost statements
+- Gutter highlights
+- A variety of Preference settings
+
+Most of the Dafny functionality is simply there when editing a .dfy file with VSCode that has the Dafny extension installed.
+Some actions are available through added menu items.
+The Dafny functionality within VSCode can be found in these locations:
+
+- The preferences are under the menu Code->Preferences->Settings->Dafny extension configuration. There are two sections of settings.
+- A hover over an error location will bring up a hover popup, which will show expanded error information and any quick fix options that are available.
+- Within a .dfy editor, a right-click brings up a context menu, which has a menu item 'Dafny'. Under it are actions to Build or Run a program,
+to turn on or off counterexample display, find definitions, and the like.
+
+## 14.2. Gutter highlights {#sec-gutter-highlights}
+
+Feedback on a program is show visually as underlining with squiggles within the text and as various markings in various colors in the _gutter_ down the left side of an editor window.
+
+The first time a file is loaded, the gutter will highlight in a transparent squiggly green line all the methods that need to be verified, like this:
+
+![image](https://user-images.githubusercontent.com/3601079/178058374-a1e5e9ca-2c5e-493a-bb60-d00310962741.png)
+
+When the file is saved (in verification on save), or whenever the Dafny verifier is ready (in verification on change), it will start to verify methods.
+That line will turn into a thin green rectangle on methods that have been verified, and display an animated less transparent green squiggly line on methods that are being actively verified:
+
+![image](https://user-images.githubusercontent.com/3601079/178058713-1266a23f-fdb4-4494-844a-488cc214c797.png)
+
+When the verification finishes, if a method, a function, a constant with default initialization or a subset type with a witness has some verification errors in it,
+the editor will display two yellow vertical rails indicating an error context.
+
+![image](https://user-images.githubusercontent.com/3601079/178058908-71425938-57a4-454d-805d-2923d7c4de73.png)
+
+Inside this context, if there is a failing assertion on a line,
+it will fill the gap between the vertical yellow bars with a red rectangle, even if there might be other assertions that are verified on the line.
+If there is no error on a line, but there is at least one assertion that verified, it will display a green disk with a white checkmark on it,
+which can be used to check progress in a proof search.
+
+As soon as a line is changed, the gutter icons turn transparent and squiggly, to indicate their obsolescence.
+
+![image](https://user-images.githubusercontent.com/3601079/178063330-dd346ddf-aa60-487e-a368-3a4af572aeac.png)
+
+The red error rectangles occupy only half the horizontal space, to visualise their possible obsolescence.
+
+When the file is saved (in verification on save), or as soon as possible otherwise,
+these squiggly icons will be animated while the Dafny verifier inspect the area.
+
+![image](https://user-images.githubusercontent.com/3601079/178063848-d0fb02d9-c743-4ffc-9e34-c5f8731c79d1.png)
+
+If the method was verifying before a change, instead of two yellow vertical bars with a red squiggly line,
+the gutter icons display an animated squiggly but more firm green line, thereby indicating that the method used to verify,
+but Dafny is still re-verifying it.
+
+![image](https://user-images.githubusercontent.com/3601079/178068281-f15fa83f-6180-4de1-ab63-b65957f6c86b.png)
+
+If there is a parse or resolution error, the previous gutter icons turn gray and a red triangle indicates 
+the position of the parse or resolution error.
+
+![image](https://user-images.githubusercontent.com/3601079/178068650-24c14da1-d247-4027-b784-2eb055242e6b.png)
+
+
+## 14.3. The Dafny Server {#sec-old-dafny-server}
+
+Before Dafny [implemented](https://github.com/dafny-lang/dafny/tree/master/Source/DafnyLanguageServer) the official [Language Server Protocol](https://microsoft.github.io/language-server-protocol/), it implemented its own protocol for [Emacs](https://github.com/boogie-org/boogie-friends), which resulted in a project called [DafnyServer](https://github.com/dafny-lang/dafny/tree/master/Source/DafnyServer). While the latest Dafny releases still contain a working DafnyServer binary, this component has been feature frozen since 2022, and it may not support features that were added to Dafny after that time. We do not recommend using it.
+
+The Dafny Server has [integration tests](https://github.com/dafny-lang/dafny/tree/master/Test/server) that serve as the basis of the documentation.
+
+The server is essentially a REPL, which produces output in the same format as the Dafny CLI; clients thus
+do not need to understand the internals of Dafny's caching.  A typical editing session proceeds as follows:
+
+* When a new Dafny file is opened, the editor starts a new instance of the
+  Dafny server.  The cache is blank at that point.
+* The editor sends a copy of the buffer for initial verification.  This takes
+  some time, after which the server returns a list of errors.
+* The user makes modifications; the editor periodically sends a new copy of
+  the buffer's contents to the Dafny server, which quickly returns an updated
+  list of errors.
+
+The client-server protocol is sequential, uses JSON, and works over ASCII
+pipes by base64-encoding utf-8 queries.  It defines one type of query, and two
+types of responses:
+
+Queries are of the following form:
+
+     verify
+     <base64 encoded JSON payload>
+     [[DAFNY-CLIENT: EOM]]
+
+Responses are of the following form:
+
+     <list of errors and usual output, as produced by the Dafny CLI>
+     [SUCCESS] [[DAFNY-SERVER: EOM]]
+
+or
+
+     <error message>
+     [FAILURE] [[DAFNY-SERVER: EOM]]
+
+The JSON payload is an utf-8 encoded string resulting of the serialization of
+a dictionary with 4 fields:
+   * args:   An array of Dafny arguments, as passed to the Dafny CLI
+   * source: A Dafny program, or the path to a Dafny source file.
+   * sourceIsFile: A boolean indicating whether the 'source' argument is a
+                   Dafny program or the path to one.
+   * filename:     The name of the original source file, to be used in error
+                   messages
+
+For small files, embedding the Dafny source directly into a message is
+convenient; for larger files, however, it is generally better for performance
+to write the source snapshot to a separate file, and to pass that to Dafny
+by setting the 'sourceIsFile' flag to true.
+
+For example, if you compile and run `DafnyServer.exe`, you could paste the following command:
+
+<!-- %no-check -->
+```dafny
+verify
+eyJhcmdzIjpbIi9jb21waWxlOjAiLCIvcHJpbnRUb29sdGlwcyIsIi90aW1lTGltaXQ6MjAiXSwi
+ZmlsZW5hbWUiOiJ0cmFuc2NyaXB0Iiwic291cmNlIjoibWV0aG9kIEEoYTppbnQpIHJldHVybnMg
+KGI6IGludCkge1xuICBiIDo9IGE7XG4gIGFzc2VydCBmYWxzZTtcbn1cbiIsInNvdXJjZUlzRmls
+ZSI6ZmFsc2V9
+[[DAFNY-CLIENT: EOM]]
+```
+
+The interpreter sees the command `verify`, and then starts reading every line until it sees `[[DAFNY-CLIENT: EOM]]`
+The payload is a base64 encoded string that you could encode or decode using JavaScript's `atob` and `btoa` function.
+For example, the payload above was generated using the following code:
+```js
+btoa(JSON.stringify({
+  "args": [
+    "/compile:0",
+    "/printTooltips",
+    "/timeLimit:20"
+   ],
+   "filename":"transcript",
+   "source":
+`method A(a:int) returns (b: int) {
+   b := a;
+   assert false;
+}
+`,"sourceIsFile": false}))
+=== "eyJhcmdzIjpbIi9jb21waWxlOjAiLCIvcHJpbnRUb29sdGlwcyIsIi90aW1lTGltaXQ6MjAiXSwiZmlsZW5hbWUiOiJ0cmFuc2NyaXB0Iiwic291cmNlIjoibWV0aG9kIEEoYTppbnQpIHJldHVybnMgKGI6IGludCkge1xuICBiIDo9IGE7XG4gIGFzc2VydCBmYWxzZTtcbn1cbiIsInNvdXJjZUlzRmlsZSI6ZmFsc2V9"
+```
+
+Thus to decode such output, you'd manually use `JSON.parse(atob(payload))`.
+
diff --git a/v4.10.0/DafnyRef/concat b/v4.10.0/DafnyRef/concat
new file mode 100644
index 0000000..8c6ab74
--- /dev/null
+++ b/v4.10.0/DafnyRef/concat
@@ -0,0 +1,39 @@
+#! /bin/bash -f
+
+## pandoc does not process the include directive in GitHub markdown
+## so we do a bit of (inefficient) text processing to assemble the files
+## NOTE: this script is finickhy about the white space in the include directive
+## NOTE: All included files must be in the _includes folder
+
+tmp=/tmp/dafnyt$pid
+tmpZ=/tmp/dafnyZ$pid
+tmpA=/tmp/dafnyA$pid
+tmpB=/tmp/dafnyB$pid
+
+cat $@ > $tmp
+
+grep -q '{% include' $tmp
+a=$?
+
+for (( ; $a==0 ; ))
+do
+
+mv $tmp $tmpZ
+grep -v 'PDFOMIT' $tmpZ > $tmp
+line=`grep -n '{% include_relative' $tmp | head -1 | sed -e 's/:.*//'`
+file=`grep -n '{% include_relative' $tmp | head -1 | sed -e 's/.*include_relative //' -e 's/%}//' `
+la=`wc -l < $tmp`
+let "ln = $line - 1"
+let "lp = $la - $line"
+#echo $line $file $la $ln $lp $file `wc -l $tmp`
+head -n $ln < $tmp > $tmpA
+tail -n $lp < $tmp > $tmpB
+cat $tmpA $file $tmpB > $tmp
+
+grep -q '{% include_relative' $tmp
+a=$?
+
+done
+
+cat $tmp
+
diff --git a/v4.10.0/DafnyRef/integration- rust/IntegrationRust.md b/v4.10.0/DafnyRef/integration- rust/IntegrationRust.md
new file mode 100644
index 0000000..6eb44ff
--- /dev/null
+++ b/v4.10.0/DafnyRef/integration- rust/IntegrationRust.md	
@@ -0,0 +1,184 @@
+---
+title: Integrating Dafny and Rust code
+---
+
+## THIS FILE IS A WORK IN PROGRESS, IT CAN BE MODIFIED AT ANY TIME WITHOUT NOTICE
+** The Dafny-to-Rust compiler is not an officially supported backend yet**
+
+The `dafny build` and `dafny run` currently translate a entry Dafny program `<program>.dfy`
+or project file like `program/dfyconfig.toml` into the following architecture,
+where the program depends on the Dafny runtime crate explicitly.
+```
+program-rust/   // Can be changed with --output:
+  runtime/
+    src/
+      lib.rs    // The Dafny runtime
+    cargo.lock
+    cargo.toml
+  src/
+    program.rs  // The generated program
+  cargo.lock
+  cargo.toml
+```
+
+With `dafny translate`, only `program-rust/src/program.rs` is emitted.
+
+## **Matching Dafny and Rust types**
+
+It's worth recalling that Rust has two semantics for variables:
+
+* *Copy semantics* are the one everyone used to `C#`, `Java`, `JavaScript`, `Go` understand.
+At run-time, it means the actual bits of memory are copied from one location to the other.
+Primitive types like `bool`, `u8`, `i8`, `u16`... but also any references `& T`, `&mut T`, `*const T`, `*mut T` or structs of these types have copy semantics.
+* *Move semantics* or *owned semantics* indicate that once a variable or a field is used without borrowing, it can no longer be used afterwards. These are the semantics that allow Rust to forget the garbage collector, by cleaning up resources Rust can statically determine they are not longer used.
+Move semantics are the default for any type that does not implement the `Copy` trait.
+
+Dafny has only Copy semantics, which as said offer a straight encoding for primitive types and reference types.
+However, immutable types and datatypes are a bit harder, because variables containing them would have
+move semantics by default. Fortunately, there exist a method `Cloneable::clone(&self)` that borrows an object of a struct or enum that implements the trait `Clone` and can create a duplicate. That method is a no-op for types implementing the `Copy` trait.
+
+Hence, whenever a variable with move semantics (borrowed or owned) is used in a place that expects an owned value (such as an addition), Dafny inserts a `.Clone()` call in Rust so that the result can be used independently of the variable. Moreover, to pass a variable to any function, it must be either borrowed (prefixed with `&`) or cloned, unless Dafny could theoretically determine it's the last occurrence of this variable.
+
+For maximum flexibility, Dafny follows these rules to encode types in Rust:
+- Function parameters always take primitive types without borrowing them (`bool`, `u32`, etc.) 
+- Function parameters always borrow variables of other types (`DafnyString`, structs, etc.), because
+  borrowing is always cheaper than cloning for non-Copy types.  
+  Open question: There are at least two more possible alternatives
+  - We could actually have parameters be always owned, which require `.clone()` also to be used at the call site
+  - We could have parameter attributes like `{:rc_owned true}` so that users can choose which API to precisely give to their functions.
+- Functions always return an owned type, otherwise we would need to have an automated theory about lifetimes of returned borrowed references, which Dafny does not support yet. Moreover, borrowing a variable makes its lifetime not `'static`, so it's not possible to use that trait.
+- `& T` and `&mut T` annotations only appear at the top-level of types, never nested.
+- Class types are encoded in reference-counted pointers by default, but there is a command-line flag `--raw-pointers` that encodes class type into an equivalent of a raw pointer. The Dafny team will have to make a deallocation statement available in the future, as it is not available yet. Please weight in on [this issue](https://github.com/dafny-lang/dafny/issues/5257) if you are interested.
+
+For each construct, the third column indicates if it's in the Dafny runtime, is native built-in in Rust, or is a Rust crate.
+If runtime, it also indicates in parentheses what it is roughly equivalent to. `[[U]]` notation indicates the Rust equivalent of the Dafny type `U`.
+The exact runtime types are subject to change, and code that is not Dafny-generated should not rely on those details.
+
+For guaranteed stability, code interfacting with Dafny structures should use types and conversions from `pub mod dafny_runtime_conversions`, such as `::dafny_runtime::dafny_runtime_conversions::DafnySequence<T>` and `::dafny_runtime::dafny_runtime_conversions::vec_to_dafny_sequence(array: &Vec<X>, elem_converter: fn(&X) -> T) -> DafnySequence<T>` for example.
+
+|  Dafny type                   |   Rust type                 | Defined in       |
+|-------------------------------|-----------------------------|------------------|
+| `bool`                        | `bool`                      | Native           |
+| `int`                         | `DafnyInt`                  | Runtime (`Rc<num::BigInt>`) |
+| `int64`                       | `i64`                       | Native           |
+| `int32`                       | `i32`                       | Native           |
+| `int16`                       | `i16`                       | Native           |
+| `int8`                        | `i8`                        | Native           |
+| `char`                        | `DafnyChar`                 | Runtime (`char`) |
+| `char` (`--unicode-chars=false`)| `DafnyCharUTF16`          | Runtime (`u16`)  |
+| `bv8` ... `bv128`             | `u8` ... `u128`             | Native           |
+| `type T = u: U | <range>`     | `[[U]]`                     | Native           |
+| `newtype T = u: U | range`    | `struct T([[U]])`           | Native           |
+| `newtype T = u: int | <range>`| `u8` ... `i128`             | Native           |
+| `ORDINAL`                     | N/A                         | TODO             |
+| `real`                        | Partially supported         | TODO             |
+| `seq<T>`                      | `Sequence<[[T]]>           `| Runtime |
+| `set<T>`, `iset<T>`           | `Set<[[T]]>`                | Runtime |
+| `multiset<T>`                 | `Multiset<[[T]]>`           | Runtime |
+| `map<T>`, `imap<T>`           | `Map<[[T]]>`                | Runtime |
+| `string`                      | `DafnyString`           | Runtime (`Sequence<DafnyCharUTF16>`) |
+| `string` (`--unicode-chars=false`)| `DafnyStringUTF16`      | Runtime (`Sequence<DafnyCharUTF16>`) |
+| (co)datatype `D`              | `std::rc::Rc<D>`            | Native wrapped struct |
+| (co)datatype `D` with attribute `{:rust_rc false}` | `D`    | Native struct    |
+| `(T1, T2...)`  (Up to size 12)| `(T1, T2...)`               | Native           |
+| `(T1, T2..., TN)` (13<=N<=20) | `_System.TupleN`            | Runtime because Rust limitations |
+| `A -> B`                      | `Rc<dyn Fn([[A]]) -> [[B]]>`| Native (note: arguments always borrowed) |
+
+## Encoding of classes and arrays (default)
+By default, Dafny uses reference counting to compile class and array references.
+
+|  Dafny type                   |   Rust type             | Defined in       |
+|-------------------------------|-------------------------|------------------|
+| `C`, `C?` (for class, iterator C) | `Object<C>`         | Runtime (`Option<Rc<UnsafeCell<C>>>`) |
+| (trait) `T`                   | (trait) `Object<dyn T>` | Runtime (`Option<Rc<UnsafeCell<dyn T>>>`) |
+| `array<T>`                    | `Object<[T]>`           | Runtime (`Option<Rc<UnsafeCell<[T]>>>`) |
+| `array2<T>`                   | `Object<array2<T>>`     | Runtime (`struct array2 {length0: usize, length1: usize, data: Box<[Box<[T]>]>}`)     |
+| `array3<T>` ... `array16<T>`  | `Object<array3<T>>` ... `Object<array16<T>>` | Runtime (`struct arrayN {length0: usize, ... lengthN-1: usize, data: Box<[...Box<[T]>...]>}`)     |
+| `c.x` if `c: C`               | `rd!(c).x`              | Runtime         |
+| `c.x := 2` if `c: C`          | `md!(c).x = 2`          | Runtime         |
+| `a[0]` if `a: array<T>`       | `rd!(a)[0]`             | Runtime         |
+| `a[1] := 2` if  `a: array<T>` | `md!(a)[1] = 2`         | Runtime         |
+
+
+## Encoding of classes and arrays with the option --raw-pointers
+The option `--raw-pointers` ensures that classes only have 8 bytes pointers,
+and array only have 8 bytes pointers + information about the length,
+and point to raw memory. Therefore, pointers have copy semantics and
+no call to any clone method needs to be made.
+However, since pointer comparison in Rust normally compares vtables,
+which is brittle, Dafny use its own pointer types which are wrappers:
+```rs
+pub struct Ptr<T: ?Sized>(pub Option<NonNull<UnsafeCell<T>>>);
+```
+
+|  Dafny type                   |   Rust type             | Defined in       |
+|-------------------------------|-------------------------|------------------|
+| `C`, `C?` (for class, iterator C) | `Ptr<C>`            | Runtime (`Option<NonNull<UnsafeCell<C>>>`) |
+| (trait) `T`                   | (trait) `Ptr<dyn T>`    | Runtime (`Option<NonNull<UnsafeCell<dyn T>>>`) |
+| `array<T>`                    | `Ptr<[T]>`              | Runtime (`Option<NonNull<UnsafeCell<[T]>>>`) |
+| `array2<T>`                   | `Ptr<array2<T>>`        | Runtime (`struct array2 {length0: usize, length1: usize, data: Box<[Box<[T]>]>}`)     |
+| `array3<T>` ... `array16<T>`  | `Ptr<array3<T>>` ... `Ptr<array16<T>>` | Runtime (`struct arrayN {length0: usize, ... lengthN-1: usize, data: Box<[...Box<[T]>...]>}`)     |
+| `c.x` if `c: C`               | `read!(c).x`            | Runtime         |
+| `c.x := 2` if `c: C`          | `modify!(c).x = 2`      | Runtime         |
+| `a[0]` if `a: array<T>`       | `read!(a)[0]`           | Runtime         |
+| `a[1] := 2` if  `a: array<T>` | `modify!(a)[1] = 2`     | Runtime         |
+
+# Externs
+
+You can provide additional `*.rs` files to `dafny translate`, `dafny build` and even `dafny run` (via the `--input` option)
+
+The best way to see what you have to implement as an extern Rust file is to compile your code with extern attributes and adding an external Rust file. For extra methods or static methods, you would then define an additional implementation in the extern Rust file. For other class or struct types, you just need to define them without any `mod` wrapper, or using the module structure as defined in the `{:extern}` attribute.
+
+When using simple 1-argument externs, the compilation follows Dafny conventions: static methods are static instance methods of a `pub struct _default {}` which is defined in the module itself, or must be defined externally if all static methods are labelled as externs.
+When using 2-argument extern methods or functions, the compilation follows Rust convention: The first argument is a path of Rust module names separated by `::` (or `.` for cross-compilation with e.g. the Java compiler). The second argument is the name of a static `pub fn` of that module.
+
+Let's assume you provide an additional input file `external.rs` with the following content:
+```
+pub mod rust {
+  pub mod module {
+    fn outsideMethod()
+  }
+}
+pub mod Test {
+  pub struct _default {}
+  impl _default {
+    pub fn extern_y() {
+    }
+  }
+}
+```
+Assuming that your Dafny program looks like:
+
+```
+
+module Test {
+  method {:extern "rust.module", "externalMethod"} outsideMethod()
+  method {:extern "extern_y"} dafny_y();
+}
+method Main() {
+  Test.outsideMethod();
+  Test.dafny_y();
+}
+```
+
+As of today, Dafny will generate the following for you (internal names not guaranteed):
+
+```
+pub mod external;         // from the additional external.rs input file
+
+pub mod _dafny_externs {  // from the additional external.rs input file
+  import opened external::*;
+}
+pub mod Test {
+  pub use super::_dafny_externs::Test::*; // Imports the _default
+}
+fn main() {
+  crate::rust::module::externalMethod();
+  super::Test::_default::extern_y();
+}
+```
+
+# Tests
+
+* Methods with the `{:test}` attribute will produce an equivalent `#[test]` method that can be run via `cargo test` on the code produced by `dafny build`.
+* Modules with the `{:rust_cfg_test}` attribute will have the attribute `#[cfg(test)]` when translated to Rust.
\ No newline at end of file
diff --git a/v4.10.0/DafnyRef/integration-cs/IntegrationCS.md b/v4.10.0/DafnyRef/integration-cs/IntegrationCS.md
new file mode 100644
index 0000000..4e7c11c
--- /dev/null
+++ b/v4.10.0/DafnyRef/integration-cs/IntegrationCS.md
@@ -0,0 +1,174 @@
+---
+title: Integration Dafny with C# projects
+---
+
+The Dafny compilation process translates Dafny programs into target language
+source code. 
+
+For a simple Dafny-only program, the translation step converts a `A.dfy` file into `A.cs`;
+the build step then produces a `A.dll`, which can be used as a library or as an executable.
+
+A multi-language program that combines Dafny and C#
+code "just" needs to be sure that the translated Dafny code fits in
+to the C# code. There are two aspects to this:
+- ensuring that the names of entities in the translated Dafny code are usable from C#
+- ensuring that the types are the same on both sides
+
+## Calling C# from Dafny
+
+Calling a C# method from Dafny requires declaring a [shim](https://en.wikipedia.org/wiki/Shim_(computing)) in Dafny that gives a name and types
+that can be referenced by Dafny code, while still having the same name as in the C# code.
+
+For example, suppose we want to call a C# method `Demo.p()`. In `Demo.cs` we have
+```cs
+using System;
+using System.IO;
+public class Demo {
+  public static void p() { Console.WriteLine("Hi!"); }
+}
+```
+In `Demo1.dfy` we write,
+```dafny
+module M {
+  method {:extern "Demo", "p"} p() 
+  method Main() {
+    p();
+  }
+}
+```
+Note that the declaration of `p()` has no body; it is just a declaration because the actual implementation is in C#.
+Its `extern` attribute has two arguments: the fully-qualified class name and the method name.
+
+Then the above can be built with
+`dafny build --target:cs Demo1.dfy Demo.cs`
+and then run as a dotnet program with
+`dotnet Demo1.dll`
+
+Or, in one build-and-run step, 
+`dafny run Demo1.dfy --input Demo.cs`
+
+## Calling non-static C# methods from Dafny
+
+If the C# methods to be called are not static, then a receiver object
+must also be created and shared between C# and Dafny. The following
+example shows how to do this.
+
+In a `Demo1a.dfy` file:
+```dafny
+module {:extern "demo"} M {
+  method {:extern "demo.Demo", "newDemo"} newDemo() returns (r: Demo )
+  class {:extern "Demo" } Demo {
+    method {:extern "demo.Demo", "p"} p()
+  }
+}
+module MM {
+  import opened M
+  method Main() {
+    var d: Demo := newDemo();
+    d.p();
+  }
+}
+```
+In a `Demo1x.cs` file
+```cs
+using System;
+using System.IO;
+
+namespace demo {
+  public class Demo {
+    public static Demo newDemo() { return new Demo(); }
+    public void p() { Console.WriteLine("Hi!"); }
+  }
+}
+```
+In the C# file there are two methods: a static one that returns a new instance of the `Demo` class, and a non-static method that does something useful.
+In the `.dfy` file we have a module `M` that has an extern name corresponding
+to the namespace of the C# class, a class declaration that associates the
+Dafny class `Demo` with the C# class `demo.Demo`, an instance method
+declaration that connects the Dafny method `M.Demo.p` to the C# method
+`demo.Demo.p`, and a static Dafny method `M.newDemo` connected to the
+static C# method `demo.Demo.newDemo`.
+The extern declaration for class `Demo` is actually not necessary if the
+Dafny and C# classes have the same name and the Dafny class is contained in
+a module whose extern name is the same as the C# namespace.
+
+Then the `Main` method in the Dafny file calls the two Dafny methods, which are
+translated to the two C# methods. The combination is built and run using
+`dafny run --target:cs Demo1a.dfy --input Demo1x.cs`
+
+## Calling Dafny from C#
+
+The simplest way to call a Dafny method from C# is to place the Dafny
+method in a class within a module. The module should be attributed as
+`{:extern "M"}`, where _M_ is the desired name of the C# namespace in
+which the C# class resides. There is no need to give an extern name to the
+class or method.
+
+In `Demo2.dfy`:
+```dafny
+module {:extern "MM"} MM {
+  class C {
+    static method p() {
+      print "Hello, World\n";
+    }
+  }
+}
+
+module MMM {
+  class Demo2x {
+    static method {:extern "Demo2x", "M"} M()
+  }
+}
+
+method Main() { MMM.Demo2x.M(); }
+```
+In `Demo2x.cs`:
+```cs
+public class Demo2x {
+  public static void M() {
+    MM.C.p(); // Calls p() in Dafny
+  }
+}
+```
+
+The above program is run with `dafny run --target:cs Demo2.dfy --input Demo2x.cs`.
+
+(Note that having Dafny invoke `Main` in the `.cs` code is not yet operational.)
+
+## Types
+
+If the C# method has input arguments or an output value, then the Dafny declaration must use
+corresponding types in Dafny:
+Here, `T'` for a type parameter `T` indicates the C# type corresponding to a Dafny type `T`.
+
+|-------------------------------|-----------------------------|
+|  Dafny type                   |   C# type                   |
+|-------------------------------|-----------------------------|
+| bool                          | bool                        |
+| int                           | System.Numerics.BigInteger  |
+| int64                         | long                        |
+| int32                         | int                         |
+| int16                         | short                       |
+| int8                          | sbyte                       |
+| char                          | char                        |
+| bitvector                     | appropriate unsigned int-based type  |
+| ORDINAL                       | java.math.BigInteger        |
+| real                          | Dafny.BigRational           |
+|                               | double                      |
+|                               | float                       |
+| string                        | Dafny.ISequence<char>  |
+| JavaString                    | java.lang.String                        |
+| C, C? (for class, iterator C) | (class) C                   |
+| (trait) T                     | (interface) T                |
+| datatype, codatatype          | (class) C                   |
+| subset type                   | same as base type           |
+| tuple                         | \_System.\_ITuple_n_              |
+| array<T>                      | T'[]                        |
+| seq<T>                        | Dafny.ISequence<? extends T'> |
+| set<T>, iset<T>               | Dafny.ISet<? extends T'>      |
+| multisetset<T>                | Dafny.ISet<? extends T'>      |
+| map<T,U>, imap<T,U>           | Dafny.IMap<? extends T'>      |
+| imap<T,U>, imap<T,U>          | Dafny.IMap<? extends T'>      |
+| function (arrow) types        | Func<T',U'> |
+|-------------------------------|------------------------------|
+
diff --git a/v4.10.0/DafnyRef/integration-go/IntegrationGo.md b/v4.10.0/DafnyRef/integration-go/IntegrationGo.md
new file mode 100644
index 0000000..7c09372
--- /dev/null
+++ b/v4.10.0/DafnyRef/integration-go/IntegrationGo.md
@@ -0,0 +1,42 @@
+---
+title: Integrating Dafny and Go code
+---
+
+The Dafny compilation process translates Dafny programs into target language
+source code, in particular a `.go` file, compiles the result, and then potentially runs the result. 
+
+The Dafny-to-Go compiler writes out the translated files of a file _A_`.dfy`
+to a folder _A_`-go/src`. The `-out` option can be used to choose a
+different output folder. The file _A_`.dfy` is translated to _A_`.go`,
+which is placed in the output folder along with helper files.
+If more than one `.dfy` file is listed on the command-line, then the output
+folder name is taken from the first file, but just
+one `.go` file is written ithat combines the user source files, 
+along with additional System and library `.go` files.
+
+A multi-language program that combines Dafny and Go
+code "just" needs to be sure that the translated Dafny code fits in
+to the Go code. There are two aspects to this:
+- ensuring that the names of entities in the translated Dafny code are usable from Go
+- ensuring that the types are the same on both sides
+
+## **The Dafny runtime library**
+
+The step of compiling Go files requires the Dafny runtime library. That library is automatically included in the output files if `dafny` is doing the compilation,
+but not if `dafny` is only doing translation.
+
+## **Manually executing Dafny-generated Go code**
+
+Suppose a Dafny program is contained in a `.dfy` file, `A.dfy`, which containingthe Dafny `Main` method. One can build the corresponding Go program (without running it) using this command:
+
+`dafny build --target:go A.dfy`
+
+The compiled program is then executed using the command `./A`
+or `(cd A-go; GO111MODULE=auto GOPATH=\`pwd\` go run src/A.go)`
+
+Alternatively the build and run steps can be combined:
+`dafny run --target:go A.dfy`
+
+## **Combining Go and Dafny source files**
+
+The dafny tool is not yet able to automatically combined Go and Dafny source files.
diff --git a/v4.10.0/DafnyRef/integration-java/IntegrationJava.md b/v4.10.0/DafnyRef/integration-java/IntegrationJava.md
new file mode 100644
index 0000000..fe1321d
--- /dev/null
+++ b/v4.10.0/DafnyRef/integration-java/IntegrationJava.md
@@ -0,0 +1,223 @@
+---
+title: Integrating Dafny and Java code
+---
+
+The Dafny compilation process translates Dafny programs into target language
+source code, compiles those to Java .class files, and then potentially runs the result. 
+
+The Dafny-to-Java compiler writes out the translated files of a file _A_`.dfy`
+to a folder _A_`-java`. The `-out` option can be used to choose a
+different output folder. The file _A_`.dfy` is translated to _A_`.java`,
+which is placed in the output folder along with helper files.
+If more than one `.dfy` file is listed on the command-line, then the output
+folder name is taken from the first file, and `.java` files are written
+for each of the `.dfy` files. _A_`-java` will also contain 
+translations to java for any library modules that are used.
+
+A multi-language program that combines Dafny and Java
+code "just" needs to be sure that the translated Dafny code fits in
+to the Java code. There are two aspects to this:
+- ensuring that the names of entities in the translated Dafny code are usable from Java
+- ensuring that the types are the same on both sides
+
+## **The Dafny runtime library**
+
+The step of compiling Java files (using `javac`) requires the Dafny runtime library. That library is automatically included if `dafny` is doing the compilation,
+but not if `dafny` is only doing translation.
+
+## **Manually executing Dafny-generated Java code**
+
+Suppose a Dafny program is contained in a `.dfy` files, `A.dfy`,
+including a `Main` method.
+One can build the corresponding Java program (without running it) using this command:
+
+`dafny build --target:java A.dfy`
+
+Alternatively, one can insert in `A.dfy` the directive `include B.dfy` and omit
+B.dfy from the command-line.
+
+The compiled program is then executed using the command
+`java -cp "A-java:A-java/DafnyRuntime.jar" A`
+
+Alternatively the build and run steps can be combined:
+`dafny run --target:java A.dfy
+
+If there is more than one `.dfy` file, general practice is to use `include` directives to include dependencies.
+
+## **Calling Java from Dafny**
+
+Calling a Java method from Dafny requires declaring a [shim](https://en.wikipedia.org/wiki/Shim_(computing)) in Dafny that gives a name and types
+that can be referenced by Dafny code, while still being translated to the same name and types as in the Java code.
+
+For example, suppose we want to call a Java method `demo.Demo1.p()`. In `Demo1.java` we have
+```java
+package demo;
+public class Demo1 {
+  public static void p() { System.out.println("Hi!\n"); }
+}
+```
+In `Demo1.dfy` we write,
+```dafny
+module M {
+  method {:extern "demo.Demo1", "p"} p() 
+  method Main() {
+    p();
+  }
+}
+```
+Note that the declaration of `p()` has no body; it is just a declaration because the actual implementation is in Java.
+Its `extern` attribute has two arguments: the fully-qualified class name and the method name.
+
+Then the above can be built with
+`dafny build --target:java Demo1.dfy Demo.java`
+and then run as a Java program with
+`java -cp Demo1-java:Demo1-java/DafnyRuntime.jar Demo1`
+
+Or, in one build-and-run step: 
+`dafny run --target:java Demo1.dfy --input Demo1.java`
+
+## **Calling non-static Java methods from Dafny**
+
+If the Java methods to be called are not static, then a receiver object 
+must also be created and shared between Java and Dafny. The following example
+shows how to do this.
+
+In a `Demo1a.dfy` file:
+```dafny
+module {:extern "demo"} M {
+  method {:extern "demo.Demo1a", "newDemo1a"} newDemo1a() returns (r: Demo1a )
+  class {:extern "demo", "Demo1a" } Demo1a {
+    method {:extern "demo.Demo1a", "p"} p()
+  }
+}
+module MM {
+  import opened M
+  method Main() {
+    var d: Demo1a := newDemo1a();
+    d.p();
+  }
+}
+```
+In a `Demo1a.java` file:
+```java
+package demo;
+public class Demo1a {
+  public static Demo1a newDemo1a() { return new Demo1a(); }
+  public void p() { System.out.println("Hi!\n"); }
+}
+```
+
+In the Java file there are two methods: a static one that returns a new instance of the `Demo1a` class, and a non-static method that does something useful.
+In the `.dfy` file we have a module `M` that has an extern name corresponding
+to the package of the Java class, a class declaration that associates the
+Dafny class `Demo1a` with the Java class `demo.Demo1a`, an instance method
+declaration that connects the Dafny method `M.Demo1a.p` to the Java method
+`demo.Demo1a.p`, and a static Dafny method `M.newDemo1a` connected to the
+static Java method `demo.Demo1a.newDemo1a`.
+The extern declaration for class `Demo1a` is actually not necessary if the
+Dafny and Java classes have the same name and the Dafny class is contained in
+a module whose extern name is the same as the Java package.
+
+Then the `Main` method in the Dafny file calls the two Dafny methods, which are
+translated to the two Java methods. The combination is built and run using
+`dafny run --target:java Demo1a.dfy --input Demo1a.java`
+
+## **Calling Dafny from Java**
+
+The simplest way to call a Dafny method from Java is to place the Dafny method in a class within a module. The module should be attributed as {:extern "M"} where _M_ is the desired name for the _Java package_ in which the class resides.
+There is no need to give an extern name to the class or the method.
+For example, given this Dafny code (in `Demo2.dfy`)
+```dafny
+module {:extern "M"} M {
+  class C {
+    static method p() {
+      print "Hello, World\n";
+    }
+  }
+}
+```
+and this Java code (in `Demo2.java`)
+```java
+package demo;
+public class Demo2 {
+  public static void main(String... args) {
+    M.C.p();
+  }
+}
+```
+then the commands
+- `dafny build --target:java Demo2.dfy Demo2.java`
+- `java -cp "Demo2-java:Demo2-java/DafnyRuntime.jar" demo.Demo2`
+compile and run the program.
+(Use `;` instead of `:` on Windows systems.)
+Note that `dafny run` does not run the program as it does not know that there is a `main` method in the Java code.
+
+If the Dafny method (say `p()`) is not a member of any class and is in the top-level 
+(unnamed) module, then it is called as `_System.__default.p()`
+
+## **Specifying class path**
+
+The dafny build and run steps invoke `javac` and `java`. Dafny will use the version of those tools that would be invoked at a terminal prompt (e.g., the ones
+found by a Linux `$PATH`). 
+There is no mechanism to supply options to these internal uses of `javac` and `java`. However, `dafny` does use the value of the environment variable `CLASSPATH`. For example, if you are writing a Dafny program, `Demo.java`, which calls
+methods in `Demo.jar`, you can build and run the program using
+```CLASSPATH=`pwd`/Demo.jar dafny run --target:java Demo.dfy```.
+The contents of the CLASSPATH must all be absolute paths.
+
+There are two means to include other options in the build. 
+First, one could create scripts named `java` and `javac` that invoke the actual `java` and `javac` with the desired options or environment settings, and then
+place theses scripts on the system `$PATH`.
+
+Alternately, one can use `dafny translate` to create the `.java` translation of the Dafny program and then use regular Java build processes to combine the
+Dafny-generated Java code with other Java code.
+
+## **Matching Dafny and Java types**
+
+If the Java method has input arguments or an output value, then the Dafny declaration must use
+corresponding types in the Dafny declaration, as shown in this table.
+Here, `T'` for a type parameter `T` indicates the Java type corresponding to a Dafny type `T`.
+
+|-------------------------------|-----------------------------|
+|  Dafny type                   |   Java type                 |
+|-------------------------------|-----------------------------|
+| bool                          | boolean                     |
+| int                           | java.math.BigInteger        |
+| int64                         | long                        |
+| int32                         | int                         |
+| int16                         | short                       |
+| int8                          | byte                        |
+| char                          | char                        |
+| bitvector                     | appropriate int-based type  |
+| ORDINAL                       | java.math.BigInteger        |
+| real                          | dafny.BigRational           |
+|                               | double                      |
+|                               | float                       |
+| string                        | dafny.DafnySequence<? extends Character>  |
+| C, C? (for class, iterator C) | (class) C                   |
+| (trait) T                     | (interface) T                |
+| datatype, codatatype          | (class) C                   |
+| subset type                   | same as base type           |
+| tuple                         | dafny.Tuple_n_              |
+| array<T>                      | T'[]                        |
+| seq<T>                        | dafny.DafnySequence<? extends T'> |
+| set<T>, iset<T>               | dafny.DafnySet<? extends T'>      |
+| multiset<T>                | dafny.DafnySet<? extends T'>      |
+| map<T,U>, imap<T,U>           | dafny.DafnyMap<? extends T'>      |
+| imap<T,U>, imap<T,U>           | dafny.DafnyMap<? extends T'>      |
+| function (arrow) types        | java.util.function.Function<T',U'> |
+|-------------------------------|------------------------------|
+
+Either there is a direct match between the Dafny-generated Java types and the types used in the Java code (as listed in the table above), or some wrapper
+code is needed either on the Java side or on the Dafny side.
+
+- If Dafny is calling a Java method in some Java library and no alterations
+to the Java library are possible or desired, then the Dafny code must be written
+in such a way that the Dafny types will translate directly to the Java types.
+Often this requires defining a Dafny class that corresponds to the Java class.
+- Alternately, one can write a Java wrapper that will translate between
+the Dafny-generated (Java) types and the types used in the desired method.
+The wrapper will do appropriate conversions and call the desired method.
+
+## Performance notes
+
+If you have the choice, given a `m: map<K, V>`, prefer iterating over the map itself like `forall k <- m` rather than over the keys `forall k <- m.Keys`. The latter currently results in `O(N²)` steps, whereas the first one remains linear.
diff --git a/v4.10.0/DafnyRef/integration-js/IntegrationJS.md b/v4.10.0/DafnyRef/integration-js/IntegrationJS.md
new file mode 100644
index 0000000..2fb803d
--- /dev/null
+++ b/v4.10.0/DafnyRef/integration-js/IntegrationJS.md
@@ -0,0 +1,36 @@
+---
+title: Integrating Dafny and JavaScript code
+---
+
+The Dafny compilation process for Javascript translates Dafny programs into target language
+source code (`.js` files), and then potentially runs the result. 
+
+The Dafny-to-Javascript compiler writes out the translated files of a file _A_`.dfy`
+to a single _A_`.js` file. 
+
+A multi-language program that combines Dafny and Javascript
+code "just" needs to be sure that the translated Dafny code fits in
+to the Java code. There are two aspects to this:
+- ensuring that the names of entities in the translated Dafny code are usable from Java
+- ensuring that the types are the same on both sides, which can be tricky as Javascriupt is dynamically typed
+
+## **The Dafny runtime library**
+
+The step of running Javascript files (using `node`) requires the Dafny runtime library. 
+That library is automatically included in the resulting `.js` file if `dafny` is doing the compilation,
+but not if `dafny` is only doing translation..
+
+## **Manually executing Dafny-generation Java code**
+
+Suppose a Dafny program is contained in a .dfy files, A.dfy, which contains the Dafny `Main` method. One can build the corresponding Javascript program (without running it) using this command:
+
+`dafny build --target:js A.dfy`
+
+The program is then executed using the command
+`node A.js`
+
+The combined build-and-run command is `dafny run --target:js A.dfy`.
+
+## Combining Dafny and Javascript source files
+
+The dafny tool  is not yet able to automatically combine Dafny and Javascript source files.
diff --git a/v4.10.0/DafnyRef/integration-py/IntegrationPython.md b/v4.10.0/DafnyRef/integration-py/IntegrationPython.md
new file mode 100644
index 0000000..554cb8d
--- /dev/null
+++ b/v4.10.0/DafnyRef/integration-py/IntegrationPython.md
@@ -0,0 +1,123 @@
+---
+title: Integrating Dafny and Python code
+---
+
+The Dafny compilation process translates Dafny programs into target language
+source code and then potentially runs the result. 
+
+The Dafny-to-Python compiler writes out the translated files of a file _A_`.dfy`
+to a folder _A_`-py`. The `-out` option can be used to choose a
+different output folder. The input `.dfy` files are translated to various `.py` files 
+which are placed in the output folder along with helper files.
+If more than one `.dfy` file is listed on the command-line, then the output
+folder name is taken from the first file.
+
+A multi-language program that combines Dafny and Python
+code "just" needs to be sure that the translated Dafny code fits in
+to the Python code. There are two aspects to this:
+- ensuring that the names of entities in the translated Dafny code are usable from Python
+- ensuring that the types are the same on both sides
+
+## **The Dafny runtime library**
+
+The step of compiling or running Python files requires the Dafny runtime library for Python. That library is automatically included if `dafny` is doing the compilation,
+but not if `dafny` is only doing translation.
+
+## **Manually executing Dafny-generated Python code**
+
+Suppose a Dafny program is contained in a `.dfy` file, `A.dfy`, which also contains the `Main` method. One can build the corresponding Java program (without running it) using this command:
+
+`dafny build --target:py A.dfy`
+
+The compiled program is then executed using the command
+`PYTHONPATH=A-py python3 A-py/A.py`
+or
+`(cd A-py; python3 A.py)`
+
+Alternatively the build and run steps can be combined:
+`dafny run --target:py A.dfy`
+
+If there are multiple `.dfy` files, general practice has the dependencies included within their client files using Dafny `include` directives.
+
+## **Combining Python and Dafny**
+
+Combining Python and Dafny source is complicated by two things.
+- To run a python program, `python` is invoked on the one `.py` file that
+contains the python `main` method. However, currently (as of v3.9.1) dafny only
+detects `main` methods in the `.py` files created from `.dfy` files.
+- For dafny to call python methods in some separate `.py` file, the
+calling file must `import` the called file (module). There is no syntax in
+Dafny to insert such `import` statements in the `.py` file generated from
+a `.dfy` file.
+
+When the `main` is in a `.py` file, proceed as in this example:
+
+In Demo2.dfy:
+```dafny
+module {:extern "M"} M {
+  class C {
+    static method p() {
+      print "Hello, World\n";
+    }
+  }
+}
+```
+
+In Demo2x.py
+```python
+import M
+
+def main():
+    print("Hi");
+    M.C.p();
+
+main()
+```
+
+And then execute these commands:
+```
+dafny build --target:py Demo2.dfy
+PYTHONPATH=.:Demo2-py python3 Demo2x.py
+```
+The first command translates `Demo2.dfy` into a `.py` file; by using `build`,
+all the supporting runtime library routines are included as well.
+The second command then uses `python` to execute the `main()` method in
+`Demo2x.py`, which imports the module `M` from `Demo2` and calls `M.C.p()`.
+
+To call python from Dafny, one must edit the trnaslation of the `.dfy` file to 
+add the needed imports.
+
+## **Matching Dafny and Python types**
+
+The correspondence between the Dafny and Python types is shown in this table.
+
+|-------------------------------|-----------------------------|
+|  Dafny type                   |   Python type                 |
+|-------------------------------|-----------------------------|
+| bool                          | bool                     |
+| int                           | int        |
+| int64                         | int                        |
+| int32                         | int                         |
+| int16                         | int                       |
+| int8                          | int                        |
+| char                          | int                        |
+| bitvector                     | int  |
+| ORDINAL                       | int        |
+| real                          | _dafny.BigRational           |
+|                               | float                       |
+| string                        | _dafny.Seq  |
+| ?                             | str                        |
+| C, C? (for class, iterator C) | class                   |
+| (trait) T                     | class                |
+| datatype, codatatype          | class                   |
+| subset type                   | same as base type           |
+| tuple                         | (python) tuple              |
+| array<T>                      | _dafny.Array                       |
+| seq<T>                        | _dafny.Seq |
+| set<T>, iset<T>               | _dafny.Set      |
+| multiset<T>                   | _dafny.MultiSet      |
+| map<T,U>, imap<T,U>           | _dafny.Map      |
+| imap<T,U>, imap<T,U>          | _dafny.Map      |
+| function (arrow) types        | class 'function' |
+|-------------------------------|------------------------------|
+
diff --git a/v4.10.0/DafnyRef/krml250.bib b/v4.10.0/DafnyRef/krml250.bib
new file mode 100644
index 0000000..1a7142e
--- /dev/null
+++ b/v4.10.0/DafnyRef/krml250.bib
@@ -0,0 +1,2026 @@
+@string{lncs = "LNCS"}
+
+@InCollection{Leino:Dafny:MOD2008,
+  author =    {K. Rustan M. Leino},
+  title =     {Specification and verification of object-oriented software},
+  booktitle = {Engineering Methods and Tools for Software Safety and Security},
+  pages =     {231-266},
+  publisher = {IOS Press},
+  year =      {2009},
+  editor =    {Manfred Broy and Wassiou Sitou and Tony Hoare},
+  volume =    {22},
+  series =    {NATO Science for Peace and Security Series D: Information and Communication Security},
+  note =      {Summer School Marktoberdorf 2008 lecture notes},
+}
+
+@inproceedings{Why:Platform,
+  author    = {Jean-Christophe Filli{\^a}tre and Claude March{\'e}},
+  title     = {The {Why}/{Krakatoa}/{Caduceus} Platform for Deductive Program Verification},
+  booktitle =    {Computer Aided Verification, 19th International Conference, CAV 2007},
+  editor =       {Werner Damm and Holger Hermanns},
+  volume =       {4590},
+  series =       lncs,
+  publisher =    {Springer},
+  month =        jul,
+  year =         {2007},
+  pages     = {173--177}
+}
+
+@InProceedings{BarrettTinelli:CVC3,
+  author =       {Clark Barrett and Cesare Tinelli},
+  title =        {{CVC3}},
+  booktitle =    {Computer Aided Verification, 19th International Conference, CAV 2007},
+  editor =       {Werner Damm and Holger Hermanns},
+  volume =       {4590},
+  series =       lncs,
+  publisher =    {Springer},
+  month =        jul,
+  year =         {2007},
+  pages =        {298-302},
+}
+
+@InProceedings{HubertMarche:SchorrWaite,
+  author =       {Thierry Hubert and Claude March{\'e}},
+  title =        {A case study of {C} source code verification: the
+                  {S}chorr-{W}aite algorithm},
+  booktitle =    {Third IEEE International Conference on Software
+                  Engineering and Formal Methods (SEFM 2005)},
+  editor =       {Bernhard K. Aichernig and Bernhard Beckert},
+  publisher =    {IEEE Computer Society },
+  month =        sep,
+  year =         {2005},
+  pages =        {190-199},
+}
+
+@Article{BroyPepper:SchorrWaite,
+  author =       {Manfred Broy and Peter Pepper},
+  title =        {Combining Algebraic and Algorithmic Reasoning: An
+                  Approach to the {S}chorr-{W}aite Algorithm},
+  journal =      toplas,
+  volume =       {4},
+  number =       {3},
+  month =        jul,
+  year =         {1982},
+  pages =        {362-381},
+}
+
+@Article{MehtaNipkow:SchorrWaite,
+  author =       {Farhad Mehta and Tobias Nipkow},
+  title =        {Proving pointer programs in higher-order logic},
+  journal =      {Information and Computation},
+  year =         {2005},
+  volume =       {199},
+  number =       {1--2},
+  pages =        {200-227},
+  month =        may # "--" # jun,
+}
+
+@InProceedings{BallEtAll:ScalableChecking,
+  author =       {Thomas Ball and Brian Hackett and Shuvendu K. Lahiri
+                  and Shaz Qadeer and Julien Vanegue},
+  title =        {Towards Scalable Modular Checking of User-Defined Properties},
+  booktitle =    {Verified Software: Theories, Tools, Experiments,
+                  (VSTTE 2010)},
+  editor =       {Gary T. Leavens and Peter O'Hearn and Sriram K. Rajamani},
+  volume =       {6217},
+  series =       lncs,
+  publisher =    {Springer},
+  month =        aug,
+  year =         {2010},
+  pages =        {1-24},
+}
+
+@InProceedings{RegisGianasPottier:FunctionalHoare,
+  author =       {Yann R{\'e}gis-Gianas and Fran{\,c}ois Pottier},
+  title =        {A {H}oare Logic for Call-by-Value Functional Programs},
+  booktitle =    {Mathematics of Program Construction, 9th International Conference, MPC 2008},
+  pages =        {305-335},
+  year =         {2008},
+  editor =       {Philippe Audebaud and Christine Paulin-Mohring},
+  volume =       {5133},
+  series =       lncs,
+  month =        jul,
+  publisher =    {Springer},
+}
+
+@InProceedings{VeanesEtAl:SpecExplorer,
+  author =       {Margus Veanes and Colin Campbell and Wolfgang
+                  Grieskamp and Wolfram Schulte and Nikolai Tillmann
+                  and Lev Nachmanson},
+  title =        {Model-Based Testing of Object-Oriented Reactive
+                  Systems with {Spec} {Explorer}},
+  booktitle =    {Formal Methods and Testing},
+  pages =        {39-76},
+  year =         {2008},
+  editor =       {Robert M. Hierons and Jonathan P. Bowen and Mark Harman},
+  volume =       {4949},
+  series =       lncs,
+  publisher =    {Springer},
+}
+
+@book{Dijkstra:Discipline,
+  author = "Edsger W. Dijkstra",
+  title = "A Discipline of Programming",
+  publisher = "Prentice Hall",
+  address = "Englewood Cliffs, NJ",
+  year = 1976
+}
+
+@InProceedings{LeinoMueller:ESOP2009,
+  author =    {K. Rustan M. Leino and Peter M{\"u}ller},
+  title =     {A Basis for Verifying Multi-threaded Programs},
+  booktitle = {Programming Languages and Systems, 18th European
+                  Symposium on Programming, ESOP 2009},
+  editor =    {Giuseppe Castagna},
+  volume =    {5502},
+  series =    lncs,
+  publisher = {Springer},
+  month =     mar,
+  year =      2009,
+  pages =     {378-393},
+}
+
+@InProceedings{LeinoRuemmer:Boogie2,
+  author =       {K. Rustan M. Leino and Philipp R{\"u}mmer},
+  title =        {A Polymorphic Intermediate Verification Language:
+                  Design and Logical Encoding},
+  booktitle =    {Tools and Algorithms for the Construction and
+                  Analysis of Systems, 16th International Conference,
+                  TACAS 2010},
+  editor =       {Javier Esparza and Rupak Majumdar},
+  series =       lncs,
+  volume =       6015,
+  publisher =    {Springer},
+  month =        mar,
+  year =         2010,
+  pages =        {312-327},
+}
+
+@book{LiskovGuttag:book,
+  author = "Barbara Liskov and John Guttag",
+  title = "Abstraction and Specification in Program Development",
+  publisher = "MIT Press",
+  series = "MIT Electrical Engineering and Computer Science Series",
+  year = 1986
+}
+
+@TechReport{DahlEtAl:Simula67,
+  author =       {Ole-Johan Dahl and Bj{\o}rn Myhrhaug and Kristen Nygaard},
+  title =        {Common Base Language},
+  institution =  {Norwegian Computing Center},
+  type =         {Publication},
+  number =       {S-22},
+  month =        oct,
+  year =         1970,
+}
+
+@inproceedings{LeinoMueller:ModelFields,
+  author    = {K. Rustan M. Leino and
+               Peter M{\"u}ller},
+  title     = {A Verification Methodology for Model Fields},
+  booktitle = "Programming Languages and Systems, 15th European Symposium on Programming, ESOP 2006",
+  editor = "Peter Sestoft",
+  series = lncs,
+  volume = 3924,
+  publisher = "Springer",
+  month = mar,
+  year = 2006,
+  pages = {115-130},
+}
+
+@InProceedings{CarterEtAl:UsingPerfectDeveloper,
+  author =       {Gareth Carter and Rosemary Monahan and Joseph M. Morris},
+  title =        {Software Refinement with {P}erfect {D}eveloper},
+  booktitle =    {Third IEEE International Conference on Software
+                  Engineering and Formal Methods (SEFM 2005)},
+  pages =        {363-373},
+  editor =       {Bernhard K. Aichernig and Bernhard Beckert},
+  month =        sep,
+  year =         {2005},
+  publisher =    {IEEE Computer Society},
+}
+
+@InProceedings{Abrial:SchorrWaite,
+  author =       {Jean-Raymond Abrial},
+  title =        {Event Based Sequential Program Development:
+                  Application to Constructing a Pointer Program},
+  booktitle =    {FME 2003: Formal Methods, International Symposium of
+                  Formal Methods Europe},
+  editor =       {Keijiro Araki and Stefania Gnesi and Dino Mandrioli},
+  volume =       {2805},
+  series =       lncs,
+  publisher =    {Springer},
+  month =        sep,
+  year =         {2003},
+  pages =        {51-74},
+}
+
+@article{Barnett-etal04,
+  author    = {Mike Barnett and Robert DeLine and Manuel F{\"a}hndrich and
+               K. Rustan M. Leino and Wolfram Schulte},
+  title     = {Verification of Object-Oriented Programs with Invariants},
+  journal   = {Journal of Object Technology},
+  volume    = 3,
+  number    = 6,
+  year      = 2004,
+  pages     = {27-56},
+}
+
+@InProceedings{SmansEtAl:ImplicitDynamicFrames,
+  author = 	 {Jan Smans and Bart Jacobs and Frank Piessens},
+  title = 	 {Implicit Dynamic Frames: Combining Dynamic Frames
+                  and Separation Logic},
+  booktitle =	 {ECOOP 2009 --- Object-Oriented Programming, 23rd
+                  European Conference},
+  editor =	 {Sophia Drossopoulou},
+  volume =	 {5653},
+  series =	 lncs,
+  publisher =	 {Springer},
+  month =	 jul,
+  year =	 {2009},
+  pages =	 {148-172},
+}
+
+@inproceedings{GriesPrins:Encapsulation,
+  author = "David Gries and Jan Prins",
+  title = "A New Notion of Encapsulation",
+  booktitle = "Proceedings of the {ACM} {SIGPLAN} 85
+    Symposium on Language Issues in Programming Environments",
+  publisher = "ACM",
+  series = "SIGPLAN Notices 20",
+  number = 7,
+  month = jul,
+  year = 1985,
+  pages = "131-139"
+}
+
+@InProceedings{YangHawblitzel:Verve,
+  author =       {Jean Yang and Chris Hawblitzel},
+  title =        {Safe to the last instruction: automated verification of a type-safe operating system},
+  booktitle =    {Proceedings of the 2010 ACM SIGPLAN Conference on
+                  Programming Language Design and Implementation, PLDI
+                  2010},
+  editor =       {Benjamin G. Zorn and Alexander Aiken},
+  month =        jun,
+  year =         {2010},
+  publisher =    {ACM},
+  pages =        {99-110},
+}
+
+@Book{BoyerMoore:book,
+  author =       {Robert S. Boyer and J Strother Moore},
+  title =        {A Computational Logic},
+  publisher =    {Academic Press},
+  series =       {ACM Monograph Series},
+  year =         {1979},
+}
+
+@article{HoareWirth:Pascal,
+  author = "C. A. R. Hoare and N. Wirth",
+  title = "An axiomatic definition of the programming language {PASCAL}",
+  journal = acta,
+  volume = 2,
+  number = 4,
+  year = 1973,
+  pages = "335-355"
+}
+
+@article{Hoare:AxiomaticBasis,
+  author    = "C. A. R. Hoare",
+  title     = "An axiomatic basis for computer programming",
+  journal   = cacm,
+  volume    = 12,
+  number    = 10,
+  year      = 1969,
+  month     = oct,
+  pages     = "576--580,583"
+}
+
+@InProceedings{LeinoMoskal:vacid0-notYetConfirmed,
+  author =       {K. Rustan M. Leino and Micha{\l} Moskal},
+  title =        {{VACID-0}: {V}erification of {A}mple {C}orrectness
+                  of {I}nvariants of {D}ata-structures, Edition 0},
+  booktitle =    {VS-Tools & Experiments},
+  year =         2010,
+  editor =       {Rajeev Joshi and Tiziana Margaria and Peter
+                  M{\"u}ller and David Naumann and Hongseok Yang},
+  series =       {VSTTE 2010 Workshop Proceedings},
+  publisher =    {ETH Zurich Technical Report 676},
+  month =        aug,
+}
+
+@InCollection{Chalice:tutorial,
+  author =    {K. Rustan M. Leino and Peter M{\"u}ller and Jan Smans},
+  title =     {Verification of Concurrent Programs with {C}halice},
+  booktitle = {Foundations of Security Analysis and Design {V}: {FOSAD} 2007/2008/2009 Tutorial Lectures},
+  editor =    {Alessandro Aldini and Gilles Barthe and Roberto Gorrieri},
+  volume =    {5705},
+  series =    lncs,
+  publisher = {Springer},
+  year =      {2009},
+  pages =     {195-222}
+}
+
+@inproceedings{LeinoMuellerSmans10,
+  author =    {K. Rustan M. Leino and Peter M{\"u}ller and Jan Smans},
+  title =     {Deadlock-Free Channels and Locks},
+  booktitle = {Programming Languages and Systems, 19th European Symposium on Programming, ESOP 2010},
+  editor =    {Andrew D. Gordon},
+  volume =    {6012},
+  series =    lncs,
+  publisher = {Springer},
+  month =     mar,
+  year =      {2010},
+  pages =     {407-426}
+}
+
+@Book{BundyEtAl:Rippling,
+  author =    {Alan Bundy and David Basin and Dieter Hutter and Andrew Ireland},
+  title =     {Rippling: Meta-level Guidance for Mathematical Reasoning},
+  publisher = {Cambridge University Press},
+  volume =    {56},
+  series =    {Cambridge Tracts in Theoretical Computer Science},
+  year =      {2005},
+}
+
+@book{Gries:Science,
+  author = "David Gries",
+  title = "The Science of Programming",
+  publisher = "Springer-Verlag",
+  series = "Texts and Monographs in Computer Science",
+  year = 1981
+}
+
+@Book{DijkstraFeijen:Book,
+  author = "Edsger W. Dijkstra and W. H. J. Feijen",
+  title = "A Method of Programming",
+  publisher = "Addison-Wesley",
+  month = jul,
+  year = 1988,
+}
+
+@book{Kaldewaij:Programming,
+  author    = "Anne Kaldewaij",
+  title     = "Programming: The Derivation of Algorithms",
+  publisher = "Prentice-Hall International",
+  year      = 1990,
+  series    = "Series in Computer Science",
+}
+
+@InProceedings{LeinoMonahan:VSTTE2010,
+  author =       {K. Rustan M. Leino and Rosemary Monahan},
+  title =        {Dafny Meets the Verification Benchmarks Challenge},
+  booktitle =    {Verified Software: Theories, Tools, Experiments,
+                  Third International Conference, VSTTE 2010},
+  pages =        {112-126},
+  year =         {2010},
+  editor =       {Gary T. Leavens and Peter W. O'Hearn and Sriram K. Rajamani},
+  volume =       {6217},
+  series =       lncs,
+  month =        aug,
+  publisher =    {Springer},
+}
+
+@InProceedings{VSComp2010:report,
+  author =       {Vladimir Klebanov and Peter M{\"u}ller and Natarajan Shankar and
+                  Gary T. Leavens and Valentin W{\"u}stholz and Eyad Alkassar and
+                  Rob Arthan and Derek Bronish and Rod Chapman and Ernie Cohen and
+                  Mark Hillebrand and Bart Jacobs and K. Rustan M. Leino and
+                  Rosemary Monahan and Frank Piessens and Nadia Polikarpova and
+                  Tom Ridge and Jan Smans and Stephan Tobies and Thomas Tuerk and
+                  Mattias Ulbrich and Benjamin Wei{\ss}},
+  title =        {The 1st Verified Software Competition: Experience Report},
+  booktitle =    {FM 2011: Formal Methods --- 17th International
+                  Symposium on Formal Methods},
+  pages =        {154-168},
+  year =         {2011},
+  editor =       {Michael Butler and Wolfram Schulte},
+  volume =       {6664},
+  series =       lncs,
+  month =        jun,
+  publisher =    {Springer},
+}
+
+@InProceedings{Leino:Dafny:LPAR16,
+  author =       {K. Rustan M. Leino},
+  title =        {Dafny: An Automatic Program Verifier for Functional Correctness},
+  booktitle =    {LPAR-16},
+  year =         {2010},
+  volume =       {6355},
+  series =       lncs,
+  publisher =    {Springer},
+  pages =        {348-370},
+}
+
+@book{BackVonWright:Book,
+  author = "Ralph-Johan Back and von Wright, Joakim",
+  title = "Refinement Calculus: A Systematic Introduction",
+  series = "Graduate Texts in Computer Science",
+  publisher = "Springer-Verlag",
+  year = 1998
+}
+
+@Article{BalzerCheathamGreen:1990s,
+  author = 	 {Robert Balzer and {Cheatham, Jr.}, Thomas E. and Cordell Green},
+  title = 	 {Software Technology in the 1990's: Using a New Paradigm},
+  journal = 	 {IEEE Computer},
+  year = 	 {1983},
+  volume =	 {16},
+  number =	 {11},
+  pages =	 {39-45 },
+  month =	 nov,
+}
+
+@InProceedings{Zloof:QBE,
+  author = 	 {Mosh{\'e} M. Zloof},
+  title = 	 {Query by Example},
+  booktitle =	 {American Federation of Information Processing
+                  Societies: 1975 National Computer Conference},
+  pages =	 {431-438},
+  year =	 {1975},
+  month =	 may,
+  publisher =	 {AFIPS Press },
+}
+
+@InProceedings{HarrisGulwani:PLDI2011,
+  author = 	 {William R. Harris and Sumit Gulwani},
+  title = 	 {Spreadsheet table transformations from examples},
+  booktitle =	 {Proceedings of the 32nd ACM SIGPLAN Conference on
+                  Programming Language Design and Implementation, PLDI
+                  2011},
+  pages =	 {317-328},
+  year =	 {2011},
+  editor =	 {Mary W. Hall and David A. Padua},
+  month =	 jun,
+  publisher =	 {ACM},
+}
+
+@Article{Smith:KIDS-overview,
+  author = "Douglas R. Smith",
+  title = "{KIDS}: A Semi-Automatic Program Development System",
+  journal = {IEEE Transactions on Software Engineering },
+  volume = 16,
+  number = 9,
+  month = sep,
+  year = 1990,
+  pages = "1024-1043",
+}
+
+@Article{RodinToolset,
+  author =       {Jean-Raymond Abrial and Michael Butler and Stefan
+                  Hallerstede and Thai Son Hoang and Farhad Mehta and
+                  Laurent Voisin},
+  title =        {Rodin: An Open Toolset for Modelling and Reasoning in {Event-B}},
+  journal =      {International Journal on Software Tools for Technology Transfer},
+  year =         {2010},
+  month =        apr,
+}
+
+@Article{Summers:LISP-from-examples,
+  author = 	 {Phillip D. Summers},
+  title = 	 {A Methodology for {LISP} Program Construction from Examples},
+  journal = 	 jacm,
+  year = 	 {1977},
+  volume =	 {24},
+  number =	 {1},
+  pages =	 {161-175},
+  month =	 jan,
+}
+
+@InProceedings{Pex:overview,
+  author = 	 {Nikolai Tillmann and de Halleux, Jonathan},
+  title = 	 {Pex---White Box Test Generation for {.NET}},
+  booktitle =	 {Tests and Proofs, Second International Conference, TAP 2008},
+  pages =	 {134-153},
+  year =	 {2008},
+  editor =	 {Bernhard Beckert and Reiner H{\"a}hnle},
+  series =	 lncs,
+  volume =	 {4966},
+  month =	 apr,
+  publisher =	 {Springer},
+}
+
+@InProceedings{GodefroidKlarlundSen:DART,
+  author = 	 {Patrice Godefroid and Nils Klarlund and Koushik Sen},
+  title = 	 {{DART}: directed automated random testing},
+  booktitle =	 {Proceedings of the ACM SIGPLAN 2005 Conference on
+                  Programming Language Design and Implementation},
+  pages =	 {213-223},
+  year =	 {2005},
+  editor =	 {Vivek Sarkar and Mary W. Hall},
+  month =	 jun,
+  publisher =	 {ACM},
+}
+
+@PhdThesis{Monahan:thesis,
+  author = 	 {Rosemary Monahan},
+  title = 	 {Data Refinement in Object-Oriented Verification},
+  school = 	 {Dublin City University},
+  year = 	 {2010},
+}
+
+@InProceedings{Denali:pldi2002,
+  author = 	 {Rajeev Joshi and Greg Nelson and Keith H. Randall},
+  title = 	 {Denali: A Goal-directed Superoptimizer},
+  booktitle =	 {Proceedings of the 2002 ACM SIGPLAN Conference on
+                  Programming Language Design and Implementation
+                  (PLDI)},
+  pages =	 {304-314},
+  year =	 {2002},
+  month =	 jun,
+  publisher =	 {ACM},
+}
+@Book{SETL,
+  author =       {J. T. Schwartz and R. B. K. Dewar and E. Dubinsky and E. Schonberg},
+  title =        {Programming with Sets: An Introduction to {SETL}},
+  series =       {Texts and Monographs in Computer Science},
+  publisher =    {Springer},
+  year =         {1986},
+}
+
+@InProceedings{KuncakEtAl:PLDI2010,
+  author = 	 {Viktor Kuncak and Mika{\"e}l Mayer and Ruzica Piskac
+                  and Philippe Suter},
+  title = 	 {Complete functional synthesis},
+  booktitle =	 {Proceedings of the 2010 ACM SIGPLAN Conference on
+                  Programming Language Design and Implementation, PLDI
+                  2010},
+  pages =	 {316-329},
+  year =	 {2010},
+  editor =	 {Benjamin G. Zorn and Alexander Aiken},
+  month =	 jun,
+  publisher =	 {ACM},
+}
+
+@Article{JML:ToolSuite:STTT,
+  author = 	 {Lilian Burdy and Yoonsik Cheon and David R. Cok and
+                   Michael D. Ernst and Joseph R. Kiniry and Gary T. Leavens and
+                   K. Rustan M. Leino and Erik Poll},
+  title = 	 {An overview of {JML} tools and applications},
+  journal = 	 {International Journal on Software Tools
+                  for Technology Transfer},
+  volume =       7,
+  number =       3,
+  publisher =    {Springer},
+  month =        jun,
+  year = 	 2005,
+  pages =        {212-232},
+}
+
+@InProceedings{Green:ProblemSolving,
+  author =       {Cordell Green},
+  title =        {Application of Theorem Proving to Problem Solving},
+  booktitle =    {Proceedings of the 1st International Joint Conference on Artificial Intelligence},
+  editor =       {Donald E. Walker and Lewis M. Norton},
+  pages =        {219-240},
+  year =         {1969},
+  month =        may,
+  publisher =    {William Kaufmann},
+}
+
+@Article{MannaWaldinger:CACM1971,
+  author =       {Zohar Manna and Richard J. Waldinger},
+  title =        {Towards automatic program synthesis},
+  journal =      cacm,
+  year =         {1971},
+  volume =       {14},
+  number =       {3},
+  pages =        {151-165},
+  month =        mar,
+}
+
+@Article{RichWaters:ProgAppren,
+  author =       {Charles Rich and Richard C. Waters},
+  title =        {The {P}rogrammer's {A}pprentice: A Research Overview},
+  journal =      {IEEE Computer},
+  year =         {1988},
+  volume =       {21},
+  number =       {11},
+  pages =        {10-25},
+  month =        nov,
+}
+
+@InProceedings{Green:PSI,
+  author =       {Cordell Green},
+  title =        {The Design of the {PSI} Program Synthesis System},
+  booktitle =    {Proceedings of the 2nd International Conference on Software Engineering},
+  pages =        {4-18},
+  year =         {1976},
+  month =        oct,
+  publisher =    {IEEE Computer Society},
+}
+
+@Article{SpecSharp:Retrospective:CACM,
+  author = 	 {Mike Barnett and Manuel F{\"a}hndrich and
+                  K. Rustan M. Leino and Peter M{\"u}ller and
+                  Wolfram Schulte and Herman Venter},
+  title = 	 {Specification and Verification: The {Spec\#} Experience},
+  journal = 	 cacm,
+  volume =	 {54},
+  number =	 {6},
+  pages =	 {81-91},
+  month =	 jun,
+  year = 	 2011,
+}
+
+@article{Filipovic:SepLogicRefinement,
+  author = {Ivana Filipovi{\'c} and Peter O'Hearn and
+            Noah Torp-Smith and Hongseok Yang},
+  title     = {Blaming the client: on data refinement in the presence of pointers},
+  journal   = {Formal Aspects of Computing},
+  volume    = {22},
+  number    = {5},
+  month     = sep,
+  year      = {2010},
+  pages     = {547-583},
+}
+
+@inproceedings{Grandy:JavaRefinement,
+  author = {Grandy, Holger and Stenzel, Kurt and Reif, Wolfgang},
+  title = {A refinement method for {J}ava programs},
+  booktitle = {Formal Methods for Open Object-Based Distributed Systems, 9th IFIP WG 6.1 International Conference, FMOODS 2007},
+  editor = {Marcello M. Bonsangue and Einar Broch Johnsen},
+  series = lncs,
+  number = {4468},
+  month = jun,
+  year = {2007},
+  publisher = {Springer},
+  pages = {221--235},
+}
+
+@InCollection{KoenigLeino:MOD2011,
+  author =    {Jason Koenig and K. Rustan M. Leino},
+  title =     {Getting Started with {D}afny: A Guide},
+  booktitle = {Software Safety and Security:  Tools for Analysis and Verification},
+  pages =     {152-181},
+  publisher = {IOS Press},
+  year =      {2012},
+  editor =    {Tobias Nipkow and Orna Grumberg and Benedikt Hauptmann},
+  volume =    {33},
+  series =    {NATO Science for Peace and Security Series D: Information and Communication Security},
+  note =      {Summer School Marktoberdorf 2011 lecture notes},
+}
+
+@InProceedings{VonWright:ExtendingWindowInference,
+  author = 	 {von Wright, Joakim},
+  title = 	 {Extending Window Inference},
+  booktitle =	 {Theorem Proving in Higher Order Logics, 11th International Conference, TPHOLs'98},
+  pages =	 {17-32},
+  year =	 {1998},
+  editor =	 {Jim Grundy and Malcolm C. Newey},
+  volume =	 {1479},
+  series =	 lncs,
+  publisher =	 {Springer},
+}
+
+@InProceedings{BauerWenzel:IsarExperience,
+  author = 	 {Gertrud Bauer and Markus Wenzel},
+  title = 	 {Calculational reasoning revisited: an {I}sabelle/{I}sar experience},
+  booktitle =	 {Theorem Proving in Higher Order Logics, 14th International Conference, TPHOLs 2001},
+  pages =	 {75-90},
+  year =	 {2001},
+  editor =	 {Richard J. Boulton and Paul B. Jackson},
+  volume =	 {2152},
+  series =	 lncs,
+  month =	 sep,
+  publisher =	 {Springer},
+}
+
+@InProceedings{Leino:induction,
+  author = 	 {K. Rustan M. Leino},
+  title = 	 {Automating Induction with an {SMT} Solver},
+  booktitle =	 {VMCAI 2012},
+  pages =	 {315-331},
+  year =	 {2012},
+  volume =	 {7148},
+  series =	 lncs,
+  month =	 jan,
+  publisher =	 {Springer},
+}
+
+@InProceedings{LGLM:BVD,
+  author = 	 {Le Goues, Claire and K. Rustan M. Leino and Micha{\l} Moskal},
+  title = 	 {The {B}oogie {V}erification {D}ebugger (Tool Paper)},
+  booktitle =	 {Software Engineering and Formal Methods --- 9th International Conference, SEFM 2011},
+  pages =	 {407-414},
+  year =	 {2011},
+  editor =	 {Gilles Barthe and Alberto Pardo and Gerardo Schneider},
+  volume =	 {7041},
+  series =	 lncs,
+  month =	 nov,
+  publisher =	 {Springer},
+}
+
+@InProceedings{Filliatre:2lines,
+  author = 	 {Jean-Christophe Filli{\^a}tre},
+  title = 	 {Verifying two lines of {C} with {Why3}: an exercise in
+                  program verification},
+  booktitle =	 {Verified Software: Theories, Tools, Experiments ---
+                  4th International Conference, VSTTE 2012},
+  pages =	 {83-97},
+  year =	 {2012},
+  editor =	 {Rajeev Joshi and Peter M{\"u}ller and Andreas Podelski},
+  volume =	 {7152},
+  series =	 lncs,
+  month =	 jan,
+  publisher =	 {Springer},
+}
+
+@InCollection{LeinoMoskal:UsableProgramVerification,
+  author = 	 {K. Rustan M. Leino and Micha{\l} Moskal},
+  title = 	 {Usable Auto-Active Verification},
+  booktitle = 	 {UV10 (Usable Verification) workshop},
+  year =	 {2010},
+  editor =	 {Tom Ball and Lenore Zuck and N. Shankar},
+  month =	 nov,
+  publisher =	 {\url{http://fm.csl.sri.com/UV10/}},
+}
+
+@InProceedings{LeinoMonahan:Comprehensions,
+  author =    {K. Rustan M. Leino and Rosemary Monahan},
+  title =     {Reasoning about Comprehensions with First-Order {SMT} Solvers},
+  booktitle = {Proceedings of the 2009 ACM Symposium on Applied Computing (SAC)},
+  editor =    {Sung Y. Shin and Sascha Ossowski},
+  publisher = {ACM},
+  month =     mar,
+  year =      2009,
+  pages =     {615-622},
+}
+
+@TechReport{VeriFast:TR,
+  author =       {Bart Jacobs and Frank Piessens},
+  title =        {The {VeriFast} program verifier},
+  institution =  {Dept. of Computer Science, Katholieke Universiteit Leuven},
+  year =         {2008},
+  number =       {CW-520},
+}
+
+@book{DijkstraScholten:book,
+  author = "Edsger W. Dijkstra and Carel S. Scholten",
+  title = "Predicate Calculus and Program Semantics",
+  publisher = "Springer-Verlag",
+  series = "Texts and Monographs in Computer Science",
+  year = 1990
+}
+
+@Book{Coq:book,
+  author =	 {Yves Bertot and Pierre Cast{\'e}ran},
+  title = 	 {{C}oq'{A}rt: The Calculus of Inductive Constructions},
+  publisher = 	 {Springer},
+  year = 	 {2004},
+  series =	 {Texts in Theoretical Comp. Sci.},
+}
+
+@Book{ACL2:book,
+  author =	 {Matt Kaufmann and Panagiotis Manolios and J Strother Moore},
+  title = 	 {Computer-Aided Reasoning: An Approach},
+  publisher = 	 {Kluwer Academic Publishers},
+  year = 	 {2000},
+}
+
+@InProceedings{Coq:Coinduction,
+  author = 	 {Eduardo Gim{\'e}nez},
+  title = 	 {An Application of Co-inductive Types in {Coq}: Verification of the Alternating Bit Protocol},
+  booktitle =    {Types for Proofs and Programs, International Workshop TYPES'95},
+  pages =	 {135-152},
+  year =	 {1996},
+  editor =	 {Stefano Berardi and Mario Coppo},
+  volume =	 1158,
+  series =	 lncs,
+  publisher =	 {Springer},
+}
+
+@InCollection{JacobsRutten:IntroductionCoalgebra,
+  author = 	 {Bart Jacobs and Jan Rutten},
+  title = 	 {An Introduction to (Co)Algebra and (Co)Induction},
+  booktitle = 	 {Advanced Topics in Bisimulation and Coinduction},
+  series =	 {Cambridge Tracts in Theoretical Comp. Sci.},
+  number =	 {52},
+  publisher =	 {Cambridge Univ. Press},
+  year =	 {2011},
+  pages =	 {38-99},
+}
+
+@InProceedings{SonnexEtAl:Zeno,
+  author = 	 {William Sonnex and Sophia Drossopoulou and Susan Eisenbach},
+  title = 	 {Zeno: An Automated Prover for Properties of Recursive
+                  Data Structures},
+  booktitle =	 {Tools and Algorithms for the Construction and Analysis of
+                  Systems --- 18th International Conference, TACAS 2012},
+  editor =	 {Cormac Flanagan and Barbara K{\"o}nig},
+  volume =	 {7214},
+  series =	 lncs,
+  year =	 {2012},
+  month =	 mar # "--" # apr,
+  publisher =	 {Springer},
+  pages =	 {407-421},
+}
+
+@InProceedings{JohanssonEtAl:IPT2010,
+  author = 	 {Moa Johansson and Lucas Dixon and Alan Bundy},
+  title = 	 {Case-Analysis for {R}ippling and Inductive Proof},
+  booktitle =	 {Interactive Theorem Proving, First International Conference, ITP 2010},
+  editor =	 {Matt Kaufmann and Lawrence C. Paulson},
+  volume =	 {6172},
+  series =	 lncs,
+  publisher =	 {Springer},
+  month =	 jul,
+  year =	 {2010},
+  pages =	 {291-306},
+}
+
+@Article{HatcliffEtAl:BISL,
+  author = 	 {John Hatcliff and Gary T. Leavens and
+                  K. Rustan M. Leino and Peter M{\"u}ller and Matthew Parkinson},
+  title = 	 {Behavioral interface specification languages},
+  journal = 	 {ACM Computing Surveys},
+  volume =	 {44},
+  number =	 {3},
+  note =	 {Article 16},
+  month =	 jun,
+  year = 	 {2012},
+}
+
+@InProceedings{BoehmeNipkow:Sledgehammer,
+  author = 	 {Sascha B{\"o}hme and Tobias Nipkow},
+  title = 	 {Sledgehammer: {J}udgement {D}ay},
+  booktitle =	 {Automated Reasoning, 5th International Joint Conference, IJCAR 2010},
+  editor =	 {J{\"u}rgen Giesl and Reiner H{\"a}hnle},
+  year =	 {2010},
+  pages =	 {107-121},
+  volume =	 {6173},
+  series =	 lncs,
+  month =	 jul,
+  publisher =	 {Springer},
+}
+
+@InProceedings{Dafny:LASER2011,
+  author = 	 {Luke Herbert and K. Rustan M. Leino and Jose Quaresma},
+  title = 	 {Using {Dafny}, an Automatic Program Verifier},
+  booktitle =	 {Tools for Practical Software Verification, {LASER}, International Summer School 2011},
+  editor =	 {Bertrand Meyer and Martin Nordio},
+  volume =	 {7682},
+  series =	 lncs,
+  year =	 {2012},
+  pages =	 {156-181},
+  publisher =	 {Springer},
+}
+
+@Article{Leroy:CompCert:CACM,
+  author = 	 {Xavier Leroy},
+  title = 	 {Formal verification of a realistic compiler},
+  journal = 	 cacm,
+  volume =	 {52},
+  number =	 {7},
+  year = 	 {2009},
+  pages =	 {107-115},
+}
+
+@InProceedings{Leino:ITP2013,
+  author = 	 {K. Rustan M. Leino},
+  title = 	 {Automating Theorem Proving with {SMT}},
+  booktitle =	 {ITP 2013},
+  year =	 {2013},
+  volume =	 {7998},
+  series =	 lncs,
+  pages =	 {2-16},
+  month =	 jul,
+  publisher =	 {Springer},
+}
+
+@techreport{Nelson:thesis,
+  author = "Charles Gregory Nelson",
+  title = "Techniques for Program Verification",
+  institution = "Xerox PARC",
+  month = jun,
+  year = 1981,
+  number = "CSL-81-10",
+  note = "The author's PhD thesis"
+}
+
+@InProceedings{LernerMillsteinChambers:VerifiedOptimizations,
+  author = 	 {Sorin Lerner and Todd Millstein and Craig Chambers},
+  title = 	 {Automatically proving the correctness of compiler optimizations},
+  booktitle =	 {Proceedings of the ACM SIGPLAN 2003 Conference on
+                  Programming Language Design and Implementation 2003},
+  year =	 {2003},
+  editor =	 {Ron Cytron and Rajiv Gupta},
+  pages =	 {220-231},
+  month =	 jun,
+  publisher =	 {ACM},
+}
+
+@InProceedings{BoyerHunt:ACL2,
+  author =       {Robert S. Boyer and Hunt, Jr., Warren A.},
+  title =        {Function Memoization and Unique Object Representation for {ACL2} Functions},
+  booktitle =    {Proceedings of the Sixth International Workshop on
+                  the ACL2 Theorem Prover and its Applications, ACL2 2006},
+  editor =       {Panagiotis Manolios and Matthew Wilding},
+  month =        aug,
+  year =         {2006},
+  pages =        {81--89},
+  publisher =    {ACM},
+}
+
+@inproceedings{LeinoWuestholz:DafnyIDE,
+  author    = {K. Rustan M. Leino and
+               Valentin W{\"{u}}stholz},
+  title     = {The {D}afny Integrated Development Environment},
+  booktitle = {Proceedings 1st Workshop on Formal Integrated Development Environment,
+               {F-IDE} 2014},
+  month     = apr,
+  year      = {2014},
+  pages     = {3--15},
+  editor    = {Catherine Dubois and
+               Dimitra Giannakopoulou and
+               Dominique M{\'{e}}ry},
+  series    = {{EPTCS}},
+  volume    = {149},
+}
+
+@inproceedings{BarnettLeino:Weakest,
+ author = {Mike Barnett and K. Rustan M. Leino},
+ title = {Weakest-precondition of unstructured programs},
+ booktitle = {Proceedings of the 2005 ACM SIGPLAN-SIGSOFT Workshop on
+                  Program Analysis For Software Tools and Engineering,
+                  PASTE'05},
+ editor = {Michael D. Ernst and Thomas P. Jensen},
+ month = sep,
+ year = {2005},
+ pages = {82-87},
+ publisher = {ACM},
+}
+
+@InProceedings{AutoProof:TACAS2015,
+  author = 	 {Julian Tschannen and Carlo A. Furia and Martin Nordio and Nadia Polikarpova},
+  title = 	 {{AutoProof}: Auto-Active Functional Verification of Object-Oriented Programs},
+  booktitle =	 {Tools and Algorithms for the Construction and
+                  Analysis of Systems --- 21st International Conference,
+                  TACAS 2015},
+  OPTyear = 	 {2015},
+  editor =	 {Christel Baier and Cesare Tinelli},
+  volume =	 {9035},
+  series =	 lncs,
+  pages =	 {566-580},
+  month =	 apr,
+  publisher =	 {Springer},
+}
+
+@Article{Doyle:TMS,
+  author = 	 {Jon Doyle},
+  title = 	 {A Truth Maintenance System},
+  journal = 	 {Artificial Intelligence},
+  year = 	 {1979},
+  month =	 nov,
+  volume =	 {12},
+  number =	 {3},
+  pages =	 {231-272},
+}
+
+@InProceedings{LeinoMueller:SpecSharp:Tutorial,
+  author =    {K. Rustan M. Leino and Peter M{\"u}ller},
+  title =     {Using the {Spec\#} Language, Methodology, and Tools to Write Bug-Free Programs},
+  booktitle = {LASER Summer School 2007/2008},
+  editor =    {Peter M{\"u}ller},
+  series =    lncs,
+  volume =    6029,
+  year =      2010,
+  publisher = {Springer},
+  pages =     {91-139},
+}
+
+@inproceedings{TFNP-TACAS15,
+  author = {Julian Tschannen and Carlo A. Furia and Martin Nordio and Nadia Polikarpova},
+  title = {{AutoProof}: Auto-active Functional Verification of Object-oriented Programs},
+  booktitle = {Tools and Algorithms for the Construction and Analysis of Systems --- 21st International Conference, TACAS 2015},
+  editor = {Christel Baier and Cesare Tinelli},
+  series = lncs,
+  volume = {9035},
+  month = apr,
+  year = {2015},
+  publisher = {Springer},
+  pages = {566-580},
+}
+
+@inproceedings{PTFM-FM14,
+  author = {Nadia Polikarpova and Julian Tschannen and Carlo A. Furia and Bertrand Meyer},
+  title = {Flexible Invariants Through Semantic Collaboration},
+  booktitle = {FM 2014},
+  series = lncs,
+  volume = {8442},
+  publisher = {Springer},
+  month = may,
+  year = {2014},
+  pages = {514-530}
+}
+
+@InProceedings{VeriFast:Java:tutorial,
+  author = 	 {Jan Smans and Bart Jacobs and Frank Piessens},
+  title = 	 {{VeriFast} for {J}ava: A Tutorial},
+  booktitle =	 {Aliasing in Object-Oriented Programming. Types, Analysis and Verification},
+  year =	 {2013},
+  editor =	 {Dave Clarke and James Noble and Tobias Wrigstad},
+  volume =	 {7850},
+  series =	 lncs,
+  pages =	 {407-442},
+  publisher =	 {Springer},
+}
+
+@InProceedings{Traits:ECOOP2003,
+  author = 	 {Nathanael Sch{\"a}rli and St{\'e}phane Ducasse and Oscar Nierstrasz and Andrew P. Black},
+  title = 	 {Traits: Composable Units of Behaviour},
+  booktitle =	 {ECOOP 2003 --- Object-Oriented Programming, 17th European Conference},
+  editor =	 {Luca Cardelli},
+  series =	 lncs,
+  volume =	 {2743},
+  pages =	 {248-274},
+  month =	 jul,
+  year =	 {2003},
+  publisher =	 {Springer},
+}
+
+@Article{Traits:logic,
+  author = 	 {Ferruccio Damiani and Johan Dovland and Einar Broch Johnsen and Ina Schaefer},
+  title = 	 {Verifying traits: an incremental proof system for fine-grained reuse},
+  journal = 	 {Formal Aspects of Computing},
+  volume =	 {26},
+  number =	 {4},
+  pages =	 {761-793},
+  month =	 jul,
+  year = 	 {2014},
+}
+
+@inproceedings{LeinoPolikarpova:calc,
+  author    = {K. Rustan M. Leino and
+               Nadia Polikarpova},
+  title     = {Verified Calculations},
+  booktitle = {VSTTE 2013},
+  series = lncs,
+  volume = 8164,
+  year      = {2014},
+  pages     = {170-190},
+  publisher = {Springer},
+}
+
+@Article{LeinoYessenov:ChaliceRefinement,
+  author =       {K. Rustan M. Leino and Kuat Yessenov},
+  title =        {Stepwise refinement of heap-manipulating code in {C}halice},
+  journal =      {Formal Aspects of Computing},
+  year =         {2012},
+  volume =       {24},
+  number =       {4--6},
+  pages =        {519--535},
+  month =        jul,
+}
+
+@article{Wirth:StepwiseRefinment,
+  author    = "N. Wirth",
+  title     = "{Program Development by Stepwise Refinement}",
+  journal   = cacm,
+  volume    = 14,
+  year      = 1971,
+  pages     = "221-227"
+}
+
+@article{Dijkstra:Refinement,
+  author = "E. W. Dijkstra",
+  title = "A constructive approach to the problem of program correctness",
+  journal = "BIT",
+  volume = 8,
+  year = 1968,
+  pages = "174-186"
+}
+
+@phdthesis{Back:thesis,
+  author    = "R.-J. R. Back",
+  title     = "On the Correctness of Refinement Steps in Program Development",
+  school    = "University of Helsinki",
+  year      = 1978,
+  note      = "Report A-1978-4"
+}
+
+@article{Morgan:SpecStmt,
+  author = "Carroll Morgan",
+  title = "The Specification Statement",
+  journal = toplas,
+  volume = 10,
+  number = 3,
+  year = 1988,
+  month = jul,
+  pages = "403-419"
+}
+
+@book{Morgan:book,
+  author    = "Carroll Morgan",
+  title     = "Programming from Specifications",
+  publisher = "Prentice-Hall International",
+  series = "Series in Computer Science",
+  year      = 1990
+}
+
+@article{Morris:Refinement,
+  author = "Joseph M. Morris",
+  title = "A theoretical basis for stepwise refinement and the
+    programming calculus",
+  journal = scp,
+  volume = 9,
+  number = 3,
+  month = dec,
+  year = 1987,
+  pages = "287-306"
+}
+
+@article{GriesVolpano:Transform,
+  author = "David Gries and Dennis Volpano",
+  title = "The Transform --- a New Language Construct",
+  journal = "Structured Programming",
+  volume = 11,
+  number = 1,
+  year = 1990,
+  pages = "1-10"
+}
+
+@Book{Abrial:BBook,
+  author = "J.-R. Abrial",
+  title = "The {B}-Book: Assigning Programs to Meanings",
+  publisher = "Cambridge University Press",
+  year = 1996
+}
+
+@Book{Jones:VDM:book,
+  Author = "Cliff B. Jones",
+  Title = "Systematic Software Development Using {VDM}",
+  Publisher = "Prentice Hall",
+  Series = "International Series in Computer Science",
+  Address = "Englewood Cliffs, N.J.",
+  Edition = "Second",
+  Year = 1990
+}
+
+@Book{Abrial:EventB:book,
+  author =       {Jean-Raymond Abrial},
+  title =        {Modeling in {Event-B}: System and Software Engineering},
+  publisher =    {Cambridge University Press},
+  year =         {2010},
+}
+
+@Misc{ClearSy:AtelierB,
+  author =       {ClearSy},
+  title =        {Atelier {B}},
+  howpublished = {\url{http://www.atelierb.eu/}},
+}
+
+@InProceedings{Abrial:FM-in-practice,
+  author =       {Jean-Raymond Abrial},
+  title =        {Formal methods in industry: achievements, problems, future},
+  booktitle =    {28th International Conference on Software Engineering (ICSE 2006)},
+  editor =       {Leon J. Osterweil and H. Dieter Rombach and Mary Lou Soffa},
+  month =        may,
+  year =         {2006},
+  publisher =    {ACM},
+  pages =        {761-768},
+}
+
+@InProceedings{MartinEtAl:AsynchMIPS,
+  author =       {Alain J. Martin and Andrew Lines and Rajit Manohar
+    and Mika Nystr{\"o}m and Paul I. P{\'e}nzes and
+      Robert Southworth and Uri Cummings},
+  title =        {The Design of an Asynchronous {MIPS} {R3000} Microprocessor},
+  booktitle =    {17th Conference on Advanced Research in VLSI {ARVLSI '97}},
+  month =        sep,
+  year =         {1997},
+  publisher =    {IEEE Computer Society},
+  pages =        {164-181},
+}
+
+@Book{Abrial:EventB-book,
+  author =       {Jean-Raymond Abrial},
+  title =        {Modeling in {Event-B}: System and Software Engineering},
+  publisher =    {Cambridge University Press},
+  year =         {2010},
+}
+
+@Article{BackSere:ActionSystems,
+  author =       {Ralph-Johan Back and Kaisa Sere},
+  title =        {Stepwise Refinement of Action Systems},
+  journal =      {Structured Programming},
+  year =         {1991},
+  volume =       {12},
+  number =       {1},
+  pages =        {17-30},
+}
+
+@InProceedings{VCC:overview,
+  author =       {Ernie Cohen and Markus Dahlweid and Mark Hillebrand and Dirk Leinenbach and
+    Micha{\l} Moskal and Thomas Santen and Wolfram Schulte and Stephan Tobies},
+  title =        {{VCC}: A Practical System for Verifying Concurrent {C}},
+  booktitle =    {Theorem Proving in Higher Order Logics, 22nd International Conference, TPHOLs 2009},
+  editor =       {Stefan Berghofer and Tobias Nipkow and Christian Urban and Makarius Wenzel},
+  volume =       {5674},
+  series =       LNCS,
+  publisher =    {Springer},
+  month =        aug,
+  year =         {2009},
+  pages =        {23-42},
+}
+
+@InProceedings{BallEtAll:ScalableChecking,
+  author =       {Thomas Ball and Brian Hackett and Shuvendu K. Lahiri
+    and Shaz Qadeer and Julien Vanegue},
+  title =        {Towards Scalable Modular Checking of User-Defined Properties},
+  booktitle =    {Verified Software: Theories, Tools, Experiments,
+    (VSTTE 2010)},
+  editor =       {Gary T. Leavens and Peter O'Hearn and Sriram K. Rajamani},
+  volume =       {6217},
+  series =       lncs,
+  publisher =    {Springer},
+  month =        aug,
+  year =         {2010},
+  pages =        {1-24},
+}
+
+@techreport{ESC:rr,
+  author = "David L. Detlefs and K. Rustan M. Leino and Greg Nelson
+    and James B. Saxe",
+  title = "Extended static checking",
+  institution = "Compaq Systems Research Center",
+  month = dec,
+  year = 1998,
+  type = "Research Report",
+  number = 159
+}
+
+@InProceedings{VeanesEtAl:SpecExplorer,
+  author =       {Margus Veanes and Colin Campbell and Wolfgang
+    Grieskamp and Wolfram Schulte and Nikolai Tillmann
+      and Lev Nachmanson},
+  title =        {Model-Based Testing of Object-Oriented Reactive
+    Systems with {Spec} {Explorer}},
+  booktitle =    {Formal Methods and Testing},
+  pages =        {39-76},
+  year =         {2008},
+  editor =       {Robert M. Hierons and Jonathan P. Bowen and Mark Harman},
+  volume =       {4949},
+  series =       lncs,
+  publisher =    {Springer},
+}
+
+@article{Hoare:DataRepresentations,
+  author = "C. A. R. Hoare",
+  title = "Proof of correctness of data representations",
+  journal = acta,
+  volume = 1,
+  number = 4,
+  year = 1972,
+  pages = "271-281"
+}
+
+@manual{baudin09acsl,
+  title = {{ACSL}: {ANSI}/{ISO} {C} Specification Language, version 1.4},
+  author = {Patrick Baudin and Jean-Christophe Filli{\^a}tre and
+    Claude March{\'e} and Benjamin Monate and Yannick
+      Moy and Virgile Prevosto},
+  year = 2009,
+  note = {\url{http://frama-c.com/}}
+}
+
+@InProceedings{BarnettEtAl:Boogie,
+  author = "Mike Barnett and Bor-Yuh Evan Chang and Robert DeLine and
+    Bart Jacobs and K. Rustan M. Leino",
+  title = "{B}oogie: A Modular Reusable Verifier for Object-Oriented Programs",
+  booktitle = "Formal Methods for Components and Objects:  4th
+    International Symposium, FMCO 2005",
+  editor = "de Boer, Frank S. and Marcello M. Bonsangue and
+    Susanne Graf and de Roever, Willem-Paul",
+  series = lncs,
+  volume = 4111,
+  publisher = "Springer",
+  month = sep,
+  year = 2006,
+  pages = "364-387"
+}
+
+@inproceedings{deMouraBjorner:Z3:overview,
+  author    = "de Moura, Leonardo and Nikolaj Bj{\o}rner",
+  title     = {{Z3}: An efficient {SMT} solver},
+  booktitle = {TACAS 2008},
+  series    = lncs,
+  volume    = 4963,
+  publisher = {Springer},
+  month     = mar # "--" # apr,
+  year      = 2008,
+  pages     = {337-340},
+}
+
+@Article{Back-Mikhajlova-vonWright:ClassRefinement,
+  author =       {Ralph-Johan Back and Anna Mikhaljova and von Wright, Joakim},
+  title =        {Class Refinement as Semantics of Correct Object Substitutability},
+  journal =      {Formal Aspects of Computing},
+  volume =       {12},
+  number =       {1},
+  year =         {2000},
+  month =        oct,
+  pages =        {18-40},
+}
+
+@InProceedings{MikhajlovaSekerinski:ClassRefinement,
+  author = 	 {Anna Mikhaljova and Emil Sekerinski},
+  title = 	 {Class Refinement and Interface Refinement in Object-Oriented Programs},
+  booktitle =	 {FME '97: Industrial Applications and Strengthened
+    Foundations of Formal Methods, 4th International
+      Symposium of Formal Methods Europe},
+  editor =	 {John S. Fitzgerald and Cliff B. Jones and Peter Lucas},
+  volume =	 {1313 },
+  series =	 lncs,
+  publisher =	 {Springer},
+  month =	 sep,
+  year =	 {1997},
+  pages =	 {82-101},
+}
+
+@InProceedings{LeinoMueller:ESOP2009,
+  author =    {K. Rustan M. Leino and Peter M{\"u}ller},
+  title =     {A Basis for Verifying Multi-threaded Programs},
+  booktitle = {Programming Languages and Systems, 18th European
+    Symposium on Programming, ESOP 2009},
+  editor =    {Giuseppe Castagna},
+  volume =    {5502},
+  series =    lncs,
+  publisher = {Springer},
+  month =     mar,
+  year =      2009,
+  pages =     {378-393},
+}
+
+@InCollection{Chalice:tutorial,
+  author =    {K. Rustan M. Leino and Peter M{\"u}ller and Jan Smans},
+  title =     {Verification of Concurrent Programs with {C}halice},
+  booktitle = {Foundations of Security Analysis and Design {V}: {FOSAD} 2007/2008/2009 Tutorial Lectures},
+  editor =    {Alessandro Aldini and Gilles Barthe and Robert Gorrieri},
+  volume = 	  {5705},
+  series = 	  lncs,
+  publisher = {Springer},
+  year = 	    {2009},
+  pages =     {195-222},
+}
+
+@InProceedings{LeinoRuemmer:Boogie2,
+  author =       {K. Rustan M. Leino and Philipp R{\"u}mmer},
+  title =        {A Polymorphic Intermediate Verification Language:
+    Design and Logical Encoding},
+  booktitle =    {Tools and Algorithms for the Construction and
+    Analysis of Systems, 16th International Conference,
+    TACAS 2010},
+  editor =       {Javier Esparza and Rupak Majumdar},
+  series =       lncs,
+  volume =       6015,
+  publisher =    {Springer},
+  month =        mar,
+  year =         2010,
+  pages =        {312-327},
+}
+
+@book{LiskovGuttag:book,
+  author = "Barbara Liskov and John Guttag",
+  title = "Abstraction and Specification in Program Development",
+  publisher = "MIT Press",
+  series = "MIT Electrical Engineering and Computer Science Series",
+  year = 1986
+}
+
+@TechReport{DahlEtAl:Simula67,
+  author =       {Ole-Johan Dahl and Bj{\o}rn Myhrhaug and Kristen Nygaard},
+  title =        {Common Base Language},
+  institution =  {Norwegian Computing Center},
+  type =         {Publication},
+  number =       {S-22},
+  month =        oct,
+  year =         1970,
+}
+
+@InProceedings{tafat10foveoos,
+  author = {Asma Tafat and Sylvain Boulm\'e and Claude March\'e},
+  title = {A Refinement Methodology for Object-Oriented Programs},
+  booktitle = {Formal Verification of Object-Oriented Software, Papers
+    Presented at the International Conference},
+  editor = {Bernhard Beckert and Claude March\'e},
+  month = jun,
+  year = 2010,
+  pages = {143--159},
+}
+
+@inproceedings{LeinoMueller:ModelFields,
+  author    = {K. Rustan M. Leino and
+    Peter M{\"u}ller},
+  title     = {A Verification Methodology for Model Fields},
+  booktitle = "Programming Languages and Systems, 15th European Symposium on Programming, ESOP 2006",
+  editor = "Peter Sestoft",
+  series = lncs,
+  volume = 3924,
+  publisher = "Springer",
+  month = mar,
+  year = 2006,
+  pages = {115-130},
+}
+
+@InProceedings{CarterEtAl:UsingPerfectDeveloper,
+  author =       {Gareth Carter and Rosemary Monahan and Joseph M. Morris},
+  title =        {Software Refinement with {P}erfect {D}eveloper},
+  booktitle =    {Third IEEE International Conference on Software
+    Engineering and Formal Methods (SEFM 2005)},
+  pages =        {363-373},
+  editor =       {Bernhard K. Aichernig and Bernhard Beckert},
+  month =        sep,
+  year =         {2005},
+  publisher =    {IEEE Computer Society},
+}
+
+@InProceedings{Abrial:SchorrWaite,
+  author =       {Jean-Raymond Abrial},
+  title =        {Event Based Sequential Program Development:
+    Application to Constructing a Pointer Program},
+  booktitle =    {FME 2003: Formal Methods, International Symposium of
+    Formal Methods Europe},
+  editor =       {Keijiro Araki and Stefania Gnesi and Dino Mandrioli},
+  volume =       {2805},
+  series =       lncs,
+  publisher =    {Springer},
+  month =        sep,
+  year =         {2003},
+  pages =        {51-74},
+}
+
+@article{Barnett-etal04,
+  author    = {Mike Barnett and Robert DeLine and Manuel F{\"a}hndrich and
+    K. Rustan M. Leino and Wolfram Schulte},
+  title     = {Verification of Object-Oriented Programs with Invariants},
+  journal   = {Journal of Object Technology},
+  volume    = 3,
+  number    = 6,
+  year      = 2004,
+  pages     = {27-56},
+}
+
+@TechReport{HatcliffEtAl:survey-tr,
+  author =       {John Hatcliff and Gary T. Leavens and K. Rustan M. Leino and
+    Peter M{\"u}ller and Matthew Parkinson},
+  title =        {Behavioral Interface Specification Languages},
+  institution =  {University of Central Florida, School of EECS},
+  month =        oct,
+  year =         {2010},
+  number =       {CS-TR-09-01a},
+}
+
+@Article{HatcliffEtAl:survey:journal:tentativeInfo,
+  author =       {John Hatcliff and Gary T. Leavens and K. Rustan M. Leino and
+    Peter M{\"u}ller and Matthew Parkinson},
+  title =        {Behavioral Interface Specification Languages},
+  journal = 	 {ACM Computing Surveys},
+  year = 	 {2012},
+  volume =	 {44},
+  number =	 {3},
+  month =	 may,
+}
+
+@inproceedings{Boyland:SAS2003,
+  author =      {John Boyland},
+  title =       {Checking Interference with Fractional Permissions},
+  booktitle =   "Static Analysis, 10th International Symposium, SAS 2003",
+  editor =      {Radhia Cousot},
+  series =      lncs,
+  volume =      2694,
+  publisher =   "Springer",
+  year =        2003,
+  pages =       {55-72}
+}
+
+@InProceedings{SmansEtAl:ImplicitDynamicFrames,
+  author = 	 {Jan Smans and Bart Jacobs and Frank Piessens},
+  title = 	 {Implicit Dynamic Frames: Combining Dynamic Frames
+    and Separation Logic},
+  booktitle =	 {ECOOP 2009 --- Object-Oriented Programming, 23rd
+    European Conference},
+  editor =	 {Sophia Drossopoulou},
+  volume =	 {5653},
+  series =	 lncs,
+  publisher =	 {Springer},
+  month =	 jul,
+  year =	 {2009},
+  pages =	 {148-172},
+}
+
+@Misc{Escher,
+  author = "{Escher Technologies, Inc.}",
+  title = "Getting started with {P}erfect",
+  howpublished = "\url{http://www.eschertech.com}",
+  year = 2001
+}
+
+@Article{LeinoNelson:tome,
+  author = "K. Rustan M. Leino and Greg Nelson",
+  title = "Data abstraction and information hiding",
+  journal = toplas,
+  month = sep,
+  year = 2002,
+  volume = 24,
+  number = 5,
+  pages = "491-553"
+}
+
+@InProceedings{Clarke-Drossopoulou02,
+  author =	 {Dave Clarke and Sophia Drossopoulou},
+  title =	 {Ownership, encapsulation and the disjointness of
+    type and effect},
+  booktitle =	 {Proceedings of the 2002 ACM SIGPLAN Conference on
+    Object-Oriented Programming Systems, Languages and
+      Applications, OOPSLA 2002},
+  publisher = {ACM},
+  Month =	 nov,
+  Year =	 2002,
+  pages =	 {292--310},
+}
+
+@InProceedings{Reynolds:SepLogic,
+  author =       {John C. Reynolds},
+  title =        {Separation Logic: A Logic for Shared Mutable Data Structures},
+  booktitle =    {17th IEEE Symposium on Logic in Computer Science (LICS 2002)},
+  publisher =    {IEEE Computer Society},
+  year =         {2002},
+  month =        jul,
+  pages =        {55-74},
+}
+
+# References supplied by the reviewers.
+# Added 12/20/11.
+
+@incollection{Potet:BComposition,
+  author = {Potet, Marie and Rouzaud, Yann},
+  affiliation = {LSR-IMAG Grenoble France},
+  title = {Composition and refinement in the B-method},
+  booktitle = {B￿￿98: Recent Advances in the Development and Use of the B Method},
+  series = lncs,
+  editor = {Bert, Didier},
+  publisher = {Springer Berlin / Heidelberg},
+  isbn = {978-3-540-64405-7},
+  keyword = {Computer Science},
+  pages = {46-65},
+  volume = {1393},
+  url = {http://dx.doi.org/10.1007/BFb0053355},
+  note = {10.1007/BFb0053355},
+  year = {1998}
+}
+
+@inproceedings{Grandy:JavaRefinement,
+  author = {Grandy, Holger and Stenzel, Kurt and Reif, Wolfgang},
+  title = {A refinement method for {J}ava programs},
+  booktitle = {Formal Methods for Open Object-Based Distributed Systems, 9th IFIP WG 6.1 International Conference, FMOODS 2007},
+  editor = {Marcello M. Bonsangue and Einar Broch Johnsen},
+  series = lncs,
+  number = {4468},
+  month = jun,
+  year = {2007},
+  publisher = {Springer},
+  pages = {221--235},
+}
+
+@inproceedings{Wehrheim:Subtypes,
+  author    = {Heike Wehrheim},
+  title     = {Checking Behavioural Subtypes via Refinement},
+  booktitle = {FMOODS},
+  year      = {2002},
+  pages     = {79-93},
+  crossref  = {DBLP:conf/fmoods/2002},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@article{Banerjee:ownership,
+  author = {Banerjee, Anindya and Naumann, David A.},
+  title = {Ownership confinement ensures representation independence for object-oriented programs},
+  journal = jacm,
+  volume = {52},
+  issue = {6},
+  month = {November},
+  year = {2005},
+  issn = {0004-5411},
+  pages = {894--960},
+  numpages = {67},
+  url = {http://doi.acm.org/10.1145/1101821.1101824},
+  doi = {http://doi.acm.org/10.1145/1101821.1101824},
+  acmid = {1101824},
+  publisher = {ACM},
+  address = {New York, NY, USA},
+  keywords = {Alias control, confinement, data refinement, relational parametricity, simulation},
+}
+
+@Article{SpecSharp:Retrospective:CACM,
+  author = 	 {Mike Barnett and Manuel F{\"a}hndrich and
+                  K. Rustan M. Leino and Peter M{\"u}ller and
+                  Wolfram Schulte and Herman Venter},
+  title = 	 {Specification and Verification: The {Spec\#} Experience},
+  journal = 	 cacm,
+  volume =	 {54},
+  number =	 {6},
+  pages =	 {81-91},
+  month =	 jun,
+  year = 	 2011,
+}
+
+@InProceedings{Heule:FractionsWithoutFractions,
+  author = 	 {Stefan Heule and K. Rustan M. Leino and Peter
+                  M{\"u}ller and Alexander J. Summers},
+  title = 	 {Fractional Permissions without the Fractions},
+  booktitle =	 {13th Workshop on Formal Techniques for Java-like
+                  Programs, FTfJP 2011},
+  year =	 {2011},
+  month =	 jul,
+}
+
+@incollection{Morgan:Capjunctive,
+  author = "Carroll Morgan",
+  title = "The Cuppest Capjunctive Capping, and {G}alois",
+  editor = "A. W. Roscoe",
+  booktitle = "A Classical Mind:  Essays in Honour of C.A.R. Hoare",
+  publisher = "Prentice-Hall",
+  series = "International Series in Computer Science",
+  pages = "317-332",
+  year = 1994
+}
+
+@Article{Morgan:CompositionalNoninterference,
+  author = 	 {Carroll Morgan},
+  title = 	 {Compositional noninterference from first principles},
+  journal = 	 fac,
+  year = 	 {2012},
+  volume =	 {24},
+  number =	 {1},
+  pages =	 {3-26},
+}
+
+@article{DenningDenning:Certification,
+  author = "Dorothy E. Denning and Peter J. Denning",
+  title = "Certification of Programs for Secure Information Flow",
+  journal = cacm,
+  volume = 20,
+  number = 7,
+  month = jul,
+  year = 1977,
+  pages = "504-513"
+}
+
+@article{Jones:Interference,
+  author = "C. B. Jones",
+  title = "Accommodating interference in the formal design of
+		  concurrent object-based programs",
+  journal = "Formal Methods in System Design",
+  volume = 8,
+  number = 2,
+  pages = "105-122",
+  month = mar,
+  year = 1996
+}
+
+@Book{Jackson:Alloy:book,
+  author =       {Daniel Jackson},
+  title =        {Software Abstractions: Logic, Language, and Analysis},
+  publisher =    {MIT Press},
+  year =         {2006},
+}
+
+@inproceedings{LeuschelButler:FME03,
+   author =    {Michael Leuschel and Michael Butler},
+   title =     {Pro{B}: A Model Checker for {B}},
+   booktitle = {FME 2003: Formal Methods},
+   editor =    {Araki, Keijiro and Gnesi, Stefania and Mandrioli, Dino},
+   publisher = {Springer},
+   series =    lncs,
+   number =    {2805},
+   year =      2003,
+   pages =     {855-874},
+}
+
+@InProceedings{ParkinsonBierman:POPL2005,
+  author =       {Matthew J. Parkinson and Gavin M. Bierman},
+  title =        {Separation logic and abstraction},
+  booktitle =    {Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium
+                  on Principles of Programming Languages, POPL 2005},
+  publisher =    {ACM},
+  month =        jan,
+  year =         {2005},
+  pages =        {247-258},
+}
+
+@Article{LiskovWing94,
+  author = "Barbara Liskov and Jeannette M. Wing",
+  title = "A Behavioral Notion of Subtyping",
+  journal = toplas,
+  year = 1994,
+  volume = 16,
+  number = 6
+}
+
+@book{WoodcockDavies:UsingZ,
+  title = "Using {Z}: Specification, Refinement, and Proof",
+  author = "Jim Woodcock and Jim Davies",
+  year = "1996",
+  publisher = "Prentice Hall International",
+}
+
+@Article{Leavens:ModularOOSpecs,
+  author = 	 {Gary T. Leavens},
+  title = 	 {Modular Specification and Verification of Object-Oriented Programs},
+  journal = 	 {IEEE Software},
+  year = 	 {1991},
+  volume =	 {8},
+  number =	 {4},
+  pages =	 {72-80},
+}
+
+@InProceedings{ShieldHayes:InvsAndDynConstraints,
+  author = 	 {Jamie Shield and Ian J. Hayes},
+  title = 	 {Refining Object-Oriented Invariants and Dynamic Constraints},
+  booktitle =	 {9th Asia-Pacific Software Engineering Conference (APSEC 2002)},
+  pages =	 {52-61},
+  year =	 {2002},
+  publisher =	 {IEEE Computer Society},
+}
+
+@TechReport{Chalice:predicates:TR,
+ author = {S. Heule and I. T. Kassios and P. M\"uller and A. J. Summers},
+ title = {Verification Condition Generation for Permission Logics with Abstraction Functions},
+ institution = {ETH Zurich},
+ year = {2012},
+ number = {761}
+}
+
+@InCollection{KleinEtAl:DataRefinement,
+  author =    {Gerwin Klein and Thomas Sewell and Simon Winwood},
+  title =     {Refinement in the formal verification of {seL4}},
+  booktitle = {Design and Verification of Microprocessor Systems for High-Assurance Applications},
+  editor =    {David S. Hardin},
+  pages =     {323--339},
+  month =     Mar,
+  year =      {2010},
+  publisher = {Springer},
+}
+
+@InProceedings{DharaLeavens:forcing,
+  author =       {Krishna Kishore Dhara and Gary T. Leavens},
+  title =        {Forcing Behavioral Subtyping through Specification Inheritance},
+  booktitle =    {18th International Conference on Software Engineering},
+  year =         {1996},
+  editor =       {H. Dieter Rombach and T. S. E. Maibaum and Marvin V. Zelkowitz},
+  pages =        {258-267},
+  month =        mar,
+  publisher =    {IEEE Computer Society},
+}
+
+@InProceedings{SpiritOfGhostCode,
+  author =       {Jean-Christophe Filli{\^a}tre and L{\'e}on Gondelman and Andrei Paskevich},
+  title =        {The Spirit of Ghost Code},
+  booktitle =    {Computer Aided Verification --- 26th International Conference, CAV 2014},
+  year =         {2014},
+  editor =       {Armin Biere and Roderick Bloem},
+  series =       lncs,
+  volume =       {8559},
+  pages =        {1-16},
+  month =        jul,
+  publisher =    {Springer},
+}
+
+@InProceedings{Dafny:traits,
+  author =       {Reza Ahmadi and K. Rustan M. Leino and Jyrki Nummenmaa},
+  title =        {Automatic Verification of {D}afny Programs with Traits},
+  booktitle =    {Formal Techniques for {J}ava-like Programs, FTfJP 2015},
+  year =         {2015},
+  editor =       {Rosemary Monahan},
+  publisher =    {ACM},
+}
+
+@InProceedings{Dafny:Cloudmake,
+  author =       {Maria Christakis and K. Rustan M. Leino and Wolfram Schulte},
+  title =        {Formalizing and Verifying a Modern Build Language},
+  booktitle =    {FM 2014: Formal Methods --- 19th International Symposium},
+  year =         {2014},
+  editor =       {Cliff B. Jones and Pekka Pihlajasaari and Jun Sun},
+  volume =       {8442},
+  series =       lncs,
+  pages =        {643-657},
+  month =        may,
+  publisher =    {Springer},
+}
+
+@Misc{Leino:SPLASH2012:keynote,
+  author =       {K. Rustan M. Leino},
+  title =        {Staged Program Development},
+  howpublished = {SPLASH 2012 keynote},
+  note =         {InfoQ video, \url{http://www.infoq.com/presentations/Staged-Program-Development}},
+  month =        oct,
+  year =         {2012},
+}
+
+@article{Parnas:secret,
+  author = "D. L. Parnas",
+  title = "On the criteria to be used in decomposing systems into modules",
+  journal = cacm,
+  volume = 15,
+  number = 12,
+  month = dec,
+  year = 1972,
+  pages = "1053-1058",
+  note = "Reprinted as {\tt www.acm.org/classics/may96/}"
+}
+
+@InProceedings{KIV:overview,
+  author = 	 {Wolfgang Reif},
+  title = 	 {The {KIV} System: Systematic Construction of Verified Software},
+  booktitle =	 {Automated Deduction --- CADE-11, 11th International Conference
+                  on Automated Deduction},
+  editor =	 {Deepak Kapur},
+  series =	 lncs,
+  volume =	 {607},
+  publisher =	 {Springer},
+  pages =	 {753-757},
+  month =	 jun,
+  year =	 {1992},
+}
+
+@InProceedings{LeinoMoskal:Coinduction,
+  author =       {K. Rustan M. Leino and Micha{\l} Moskal},
+  title =        {Co-induction Simply --- Automatic Co-inductive Proofs in a Program Verifier},
+  booktitle =    {FM 2014},
+  series =       lncs,
+  volume =       {8442},
+  publisher =    {Springer},
+  month =        may,
+  year =         {2014},
+  pages =        {382-398},
+}
+
+@Article{Tarski:theorem,
+  author = "Alfred Tarski",
+  title = "A lattice-theoretical fixpoint theorem and its applications",
+  journal = "Pacific Journal of Mathematics",
+  year = 1955,
+  volume = 5,
+  pages = "285-309"
+}
+
+@TechReport{KozenSilva:Coinduction,
+  author =       {Dexter Kozen and Alexandra Silva},
+  title =        {Practical coinduction},
+  institution =  {Comp. and Inf. Science, Cornell Univ.},
+  year =         {2012},
+  number =       {\url{http://hdl.handle.net/1813/30510}},
+}
+
+@book{Milner:CCS,
+ author = "Robin Milner",
+ title = {A  Calculus of Communicating Systems},
+ year = {1982},
+ publisher = {Springer},
+}
+
+@Book{NipkowKlein:ConcreteSemantics,
+  author =       {Tobias Nipkow and Gerwin Klein},
+  title =        {Concrete Semantics with {I}sabelle/{HOL}},
+  publisher =    {Springer},
+  year =         {2014},
+}
+
+@Book{Pierce:SoftwareFoundations,
+  author =       {Benjamin C. Pierce and Chris Casinghino and
+                  Marco Gaboardi and Michael Greenberg and
+                  C{\u{a}}t{\u{a}}lin Hri\c{t}cu and Vilhelm Sj{\"o}berg and
+                  Brent Yorgey},
+  title =        {Software Foundations},
+  publisher =    {\url{http://www.cis.upenn.edu/~bcpierce/sf}},
+  year =         {2015},
+  edition =      {version 3.2},
+  month =        jan,
+}
+
+@InProceedings{ClochardEtAl:SemanticsInWhy3,
+  author = {Martin Clochard and Jean-Christophe
+  Filli\^atre and Claude March\'e and Andrei Paskevich},
+  title =        {Formalizing Semantics with an Automatic Program Verifier},
+  booktitle =    {VSTTE 2014},
+  volume =       {8471},
+  series =       lncs,
+  publisher =    {Springer},
+  month =        jul,
+  year =         {2014},
+  pages =        {37--51},
+}
+
+@Article{LeroyGrall:CoinductiveBigStep,
+  author =       {Xavier Leroy and Herv\'e Grall},
+  title =        {Coinductive big-step operational semantics},
+  journal =      {Information and Computation},
+  volume =       {207},
+  number =       {2},
+  pages =        {284-304},
+  month =        feb,
+  year =         {2009},
+}
+
+@InProceedings{SwamyEtAl:Fstar2011,
+  author = 	 {Nikhil Swamy and Juan Chen and C{\'e}dric Fournet and
+                  Pierre-Yves Strub and Karthikeyan Bhargavan and Jean Yang},
+  title = 	 {Secure distributed programming with value-dependent types},
+  booktitle =	 {ICFP 2011},
+  publisher =	 {ACM},
+  month =	 sep,
+  year =	 {2011},
+  pages =	 {266-278},
+}
+
+@Book{Nipkow-Paulson-Wenzel02,
+  author =	 {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel},
+  title = 	 {{Isabelle/HOL} --- A Proof Assistant for Higher-Order Logic},
+  publisher = 	 {Springer},
+  year = 	 2002,
+  volume =	 2283,
+  series =	 LNCS,
+}
+
+@InProceedings{BoveDybjerNorell:BriefAgda,
+  author = 	 {Ana Bove and Peter Dybjer and Ulf Norell},
+  title = 	 {A Brief Overview of {A}gda --- A Functional Language with Dependent Types},
+  booktitle =	 {TPHOLs 2009},
+  series =	 lncs,
+  volume =	 {5674},
+  publisher =	 {Springer},
+  month =	 aug,
+  year =	 {2009},
+  pages =	 {73-78},
+}
+
+@InProceedings{PaulinMohring:InductiveCoq,
+  author =       {Christine Paulin-Mohring},
+  title =        {Inductive Definitions in the system {C}oq --- Rules and Properties},
+  booktitle =    {TLCA '93},
+  series =       lncs,
+  volume =       {664},
+  pages =        {328-345},
+  year =         {1993},
+  publisher =    {Springer},
+}
+
+@TechReport{CamilleriMelham:InductiveRelations,
+  author =       {Juanito Camilleri and Tom Melham},
+  title =        {Reasoning with Inductively Defined Relations
+                  in the {HOL} Theorem Prover},
+  institution =  {University of Cambridge Computer Laboratory},
+  year =         {1992},
+  number =       {265},
+  OPTmonth =     aug,
+}
+
+@Book{Winskel:FormalSemantics,
+  author =       {Glynn Winskel},
+  title =        {The Formal Semantics of Programming Languages: An Introduction},
+  publisher =    {MIT Press},
+  year =         {1993},
+}
+
+@inproceedings{Paulson:CADE1994,
+  author    = {Lawrence C. Paulson},
+  title     = {A Fixedpoint Approach to Implementing (Co)Inductive Definitions},
+  booktitle = {CADE-12},
+  editor    = {Alan Bundy},
+  volume    = {814},
+  series    = lncs,
+  publisher = {Springer},
+  year      = {1994},
+  pages     = {148-161},
+}
+
+@InProceedings{Harrison:InductiveDefs,
+  author =       {John Harrison},
+  title =        {Inductive Definitions: Automation and Application},
+  booktitle =    {TPHOLs 1995},
+  year =         {1995},
+  editor =       {E. Thomas Schubert and Phillip J. Windley and Jim Alves-Foss},
+  volume =       {971},
+  series =       lncs,
+  pages =        {200-213},
+  publisher =    {Springer},
+}
+
+@Article{ManoliosMoore:PartialFunctions,
+  author =       {Panagiotis Manolios and J Strother Moore},
+  title =        {Partial Functions in {ACL2}},
+  journal =      {Journal of Automated Reasoning},
+  year =         {2003},
+  volume =       {31},
+  number =       {2},
+  pages =        {107-127},
+}
+
+@PhdThesis{Krauss:PhD,
+  author =       {Alexander Krauss},
+  title =        {Automating Recursive Definitions and Termination Proofs in Higher-Order Logic},
+  school =       {Technische Universit{\"a}t M{\"u}nchen},
+  year =         {2009},
+}
+
diff --git a/v4.10.0/DafnyRef/out/README b/v4.10.0/DafnyRef/out/README
new file mode 100644
index 0000000..e61556c
--- /dev/null
+++ b/v4.10.0/DafnyRef/out/README
@@ -0,0 +1,4 @@
+The DafnyRef.pdf in this folder is here, and committed to git,
+for legacy reasons: it is where various links around the web
+and on the Dafny web site point. It is no longer updated and
+includes a warning to that effect.
diff --git a/v4.10.0/DafnyRef/paper-full.bib b/v4.10.0/DafnyRef/paper-full.bib
new file mode 100644
index 0000000..0086cc8
--- /dev/null
+++ b/v4.10.0/DafnyRef/paper-full.bib
@@ -0,0 +1,577 @@
+@string{lncs = "Lecture Notes in Computer Science"}
+@string{lnai = "Lecture Notes in Artificial Intelligence"}
+
+@InProceedings{Dafny:LPAR16,
+  author =       {K. Rustan M. Leino},
+  title =        {Dafny: An Automatic Program Verifier for Functional Correctness},
+  booktitle =    {LPAR-16},
+  year =         {2010},
+  volume =       {6355},
+  series =       lncs,
+  publisher =    {Springer},
+  month =        apr,
+  editor =       {Edmund M. Clarke and Andrei Voronkov},
+  pages =        {348-370},
+}
+
+@InCollection{LeinoMoskal:UsableProgramVerification,
+  author = 	 {K. Rustan M. Leino and Micha{\l} Moskal},
+  title = 	 {Usable Auto-Active Verification},
+  booktitle = 	 {UV10 (Usable Verification) workshop},
+  year =	 {2010},
+  editor =	 {Tom Ball and Lenore Zuck and N. Shankar},
+  month =	 nov,
+  publisher =	 {\url{http://fm.csl.sri.com/UV10/}},
+}
+
+@InProceedings{Leino:VMCAI2012,
+  author = 	 {K. Rustan M. Leino},
+  title = 	 {Automating Induction with an {SMT} Solver},
+  booktitle =	 {Verification, Model Checking, and Abstract Interpretation --- 13th International Conference, VMCAI 2012},
+  pages =	 {315-331},
+  year =	 {2012},
+  editor =	 {Viktor Kuncak and Andrey Rybalchenko},
+  volume =	 {7148},
+  series =	 lncs,
+  month =	 jan,
+  publisher =	 {Springer},
+}
+
+@InProceedings{LeinoMonahan:Comprehensions,
+  author =    {K. Rustan M. Leino and Rosemary Monahan},
+  title =     {Reasoning about Comprehensions with First-Order {SMT} Solvers},
+  booktitle = {Proceedings of the 2009 ACM Symposium on Applied Computing (SAC)},
+  editor =    {Sung Y. Shin and Sascha Ossowski},
+  publisher = {ACM},
+  month =     mar,
+  year =      2009,
+  pages =     {615-622},
+}
+
+@TechReport{VeriFast:TR,
+  author =       {Bart Jacobs and Frank Piessens},
+  title =        {The {VeriFast} program verifier},
+  institution =  {Department of Computer Science, Katholieke Universiteit Leuven},
+  year =         {2008},
+  number =       {CW-520},
+  month =        aug,
+}
+
+@InProceedings{LGLM:BVD,
+  author = 	 {Le Goues, Claire and K. Rustan M. Leino and Micha{\l} Moskal},
+  title = 	 {The {B}oogie {V}erification {D}ebugger (Tool Paper)},
+  booktitle =	 {Software Engineering and Formal Methods --- 9th International Conference, SEFM 2011},
+  pages =	 {407-414},
+  year =	 {2011},
+  editor =	 {Gilles Barthe and Alberto Pardo and Gerardo Schneider},
+  volume =	 {7041},
+  series =	 lncs,
+  month =	 nov,
+  publisher =	 {Springer},
+}
+
+@inproceedings{Paulson:coinduction2000,
+  author    = {Lawrence C. Paulson},
+  title     = {A fixedpoint approach to (co)inductive and (co)datatype
+               definitions},
+  booktitle = {Proof, Language, and Interaction},
+  year      = {2000},
+  pages     = {187-212},
+  crossref  = {DBLP:conf/birthday/1999milner},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+@proceedings{DBLP:conf/birthday/1999milner,
+  editor    = {Gordon D. Plotkin and
+               Colin Stirling and
+               Mads Tofte},
+  title     = {Proof, Language, and Interaction, Essays in Honour of Robin
+               Milner},
+  booktitle = {Proof, Language, and Interaction},
+  publisher = {The MIT Press},
+  year      = {2000},
+  isbn      = {978-0-262-16188-6},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+
+@inproceedings{Paulson:coinduction1994,
+  author    = {Lawrence C. Paulson},
+  title     = {A Fixedpoint Approach to Implementing (Co)Inductive Definitions},
+  booktitle = {CADE},
+  year      = {1994},
+  pages     = {148-161},
+  ee        = {http://dx.doi.org/10.1007/3-540-58156-1_11},
+  crossref  = {DBLP:conf/cade/1994},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+@proceedings{DBLP:conf/cade/1994,
+  editor    = {Alan Bundy},
+  title     = {Automated Deduction - CADE-12, 12th International Conference
+               on Automated Deduction, Nancy, France, June 26 - July 1,
+               1994, Proceedings},
+  booktitle = {CADE},
+  publisher = {Springer},
+  series    = lncs,
+  volume    = {814},
+  year      = {1994},
+  isbn      = {3-540-58156-1},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+
+@inproceedings{Hausmann:CoCasl,
+  author    = {Daniel Hausmann and
+               Till Mossakowski and
+               Lutz Schr{\"o}der},
+  title     = {Iterative Circular Coinduction for {CoCasl} in {I}sabelle/{HOL}},
+  booktitle = {Fundamental Approaches to Software Engineering, 8th International
+               Conference, FASE 2005},
+  editor    = {Maura Cerioli},
+  series    = lncs,
+  volume    = {3442},
+  publisher = {Springer},
+  year      = {2005},
+  pages     = {341-356},
+}
+
+@inproceedings{Rosu:CIRC,
+  author    = {Dorel Lucanu and
+               Grigore Rosu},
+  title     = {{CIRC}: A Circular Coinductive Prover},
+  booktitle = {CALCO},
+  year      = {2007},
+  pages     = {372-378},
+  ee        = {http://dx.doi.org/10.1007/978-3-540-73859-6_25},
+  crossref  = {DBLP:conf/calco/2007},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+@proceedings{DBLP:conf/calco/2007,
+  editor    = {Till Mossakowski and
+               Ugo Montanari and
+               Magne Haveraaen},
+  title     = {Algebra and Coalgebra in Computer Science, Second International
+               Conference, CALCO 2007, Bergen, Norway, August 20-24, 2007,
+               Proceedings},
+  booktitle = {CALCO},
+  publisher = {Springer},
+  series    = lncs,
+  volume    = {4624},
+  year      = {2007},
+  isbn      = {978-3-540-73857-2},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+
+@inproceedings{Rosu:circRule,
+  author    = {Grigore Rosu and
+               Dorel Lucanu},
+  title     = {Circular Coinduction: A Proof Theoretical Foundation},
+  booktitle = {CALCO},
+  year      = {2009},
+  pages     = {127-144},
+  ee        = {http://dx.doi.org/10.1007/978-3-642-03741-2_10},
+  crossref  = {DBLP:conf/calco/2009},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+@proceedings{DBLP:conf/calco/2009,
+  editor    = {Alexander Kurz and
+               Marina Lenisa and
+               Andrzej Tarlecki},
+  title     = {Algebra and Coalgebra in Computer Science, Third International
+               Conference, CALCO 2009, Udine, Italy, September 7-10, 2009.
+               Proceedings},
+  booktitle = {CALCO},
+  publisher = {Springer},
+  series    = lncs,
+  volume    = {5728},
+  year      = {2009},
+  isbn      = {978-3-642-03740-5},
+  ee        = {http://dx.doi.org/10.1007/978-3-642-03741-2},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@inproceedings{VCC,
+  author    = {Ernie Cohen and
+               Markus Dahlweid and
+               Mark A. Hillebrand and
+               Dirk Leinenbach and
+               Micha{\l} Moskal and
+               Thomas Santen and
+               Wolfram Schulte and
+               Stephan Tobies},
+  title     = {{VCC}: A Practical System for Verifying Concurrent {C}},
+  booktitle = {TPHOLs 2009},
+  series    = LNCS,
+  publisher = {Springer},
+  volume    = {5674},
+  year      = {2009},
+  pages     = {23-42},
+}
+
+@InProceedings{VeriFast:ProgramsAsProofs,
+  author = 	 {Bart Jacobs and Jan Smans and Frank Piessens},
+  title = 	 {{VeriFast}: Imperative Programs as Proofs},
+  booktitle =	 {VS-Tools workshop at VSTTE 2010},
+  year =	 {2010},
+  month =	 aug,
+}
+
+@book{DijkstraScholten:book,
+  author = "Edsger W. Dijkstra and Carel S. Scholten",
+  title = "Predicate Calculus and Program Semantics",
+  publisher = "Springer-Verlag",
+  series = "Texts and Monographs in Computer Science",
+  year = 1990
+}
+
+@Book{BirdWadler:IntroFunctionalProgramming,
+  author = 	 {Richard Bird and Philip Wadler},
+  title = 	 {Introduction to Functional Programming},
+  publisher = 	 {Prentice Hall},
+  series =	 {International Series in Computing Science},
+  year = 	 {1992},
+}
+
+@inproceedings{Z3,
+  author    = "de Moura, Leonardo and Nikolaj Bj{\o}rner",
+  title     = {{Z3}: An efficient {SMT} solver},
+  booktitle = {Tools and Algorithms for the Construction and
+                  Analysis of Systems, 14th International Conference,
+                  TACAS 2008},
+  editor    = {C. R. Ramakrishnan and Jakob Rehof},
+  series    = lncs,
+  volume    = 4963,
+  publisher = {Springer},
+  year      = 2008,
+  pages     = {337-340},
+}
+
+@phdthesis{moy09phd,
+  author = {Yannick Moy},
+  title = {Automatic Modular Static Safety Checking for C Programs},
+  school = {Universit{\'e} Paris-Sud},
+  year = 2009,
+  month = jan,
+  topics = {team},
+  x-equipes = {demons PROVAL},
+  x-type = {these},
+  x-support = {rapport},
+  url = {http://www.lri.fr/~marche/moy09phd.pdf}
+}
+@Book{PeytonJones:Haskell,
+  author = 	 {Peyton Jones, Simon},
+  title = 	 {Haskell 98 language and libraries: the Revised Report},
+  publisher = 	 {Cambridge University Press},
+  year = 	 {2003},
+}
+
+@InProceedings{Park:InfSeq,
+  author = 	 {David Park},
+  title = 	 {Concurrency and automata on infinite sequences},
+  booktitle =	 {Theoretical Computer Science, 5th GI-Conference},
+  editor =	 {Peter Deussen},
+  volume =	 {104},
+  series =	 lncs,
+  publisher =	 {Springer},
+  year =	 {1981},
+  pages =	 {167-183},
+}
+
+@Article{Leroy:CompCert:CACM,
+  author = 	 {Xavier Leroy},
+  title = 	 {Formal verification of a realistic compiler},
+  journal = 	 cacm,
+  volume =	 {52},
+  number =	 {7},
+  month =	 jul,
+  year = 	 {2009},
+  pages =	 {107-115},
+}
+
+@Book{KeY:book,
+   author    = {Bernhard Beckert and Reiner H{\"a}hnle and Peter H. Schmitt},
+   title     = {Verification of Object-Oriented Software: The {KeY} Approach},
+   volume    = 4334,
+   series    = lnai,
+   publisher = {Springer},
+   year      = 2007,
+}
+
+@Book{Nipkow-Paulson-Menzel02,
+  author =	 {Tobias Nipkow and Lawrence Paulson and Markus Menzel},
+  title = 	 {{Isabelle/HOL} --- A Proof Assistant for Higher-Order Logic},
+  publisher = 	 {Springer},
+  year = 	 2002,
+  volume =	 2283,
+  series =	 LNCS,
+}
+
+@Book{Coq:book,
+  author =	 {Yves Bertot and Pierre Cast{\'e}ran},
+  title = 	 {Interactive Theorem Proving and Program Development --- {C}oq'{A}rt: The Calculus of Inductive Constructions},
+  publisher = 	 {Springer},
+  year = 	 {2004},
+  series =	 {Texts in Theoretical Computer Science},
+}
+
+@Book{ACL2:book,
+  author =	 {Matt Kaufmann and Panagiotis Manolios and J Strother Moore},
+  title = 	 {Computer-Aided Reasoning: An Approach},
+  publisher = 	 {Kluwer Academic Publishers},
+  year = 	 {2000},
+}
+
+@Book{BoyerMoore:book,
+  author =       {Robert S. Boyer and J Strother Moore},
+  title =        {A Computational Logic},
+  publisher =    {Academic Press},
+  series =       {ACM Monograph Series},
+  year =         {1979},
+}
+
+@article{Bertot:CoinductionInCoq,
+  location = {http://www.scientificcommons.org/8157029},
+  title = {CoInduction in {C}oq},
+  author = {Bertot, Yves},
+  year = {2005},
+  publisher = {HAL - CCSd - CNRS},
+  url = {http://hal.inria.fr/inria-00001174/en/},
+  institution = {CCSd/HAL : e-articles server (based on gBUS) [http://hal.ccsd.cnrs.fr/oai/oai.php] (France)},
+}
+
+@InProceedings{Coq:Coinduction,
+  author = 	 {Eduardo Gim{\'e}nez},
+  title = 	 {An Application of Co-inductive Types in {Coq}: Verification of the Alternating Bit Protocol},
+  booktitle =    {Types for Proofs and Programs, International Workshop TYPES'95},
+  pages =	 {135-152},
+  year =	 {1996},
+  editor =	 {Stefano Berardi and Mario Coppo},
+  volume =	 1158,
+  series =	 lncs,
+  publisher =	 {Springer},
+}
+
+@InProceedings{Boogie:Architecture,
+  author = "Mike Barnett and Bor-Yuh Evan Chang and Robert DeLine and
+                  Bart Jacobs and K. Rustan M. Leino",
+  title = "{B}oogie: A Modular Reusable Verifier for Object-Oriented Programs",
+  booktitle = "Formal Methods for Components and Objects:  4th
+                  International Symposium, FMCO 2005",
+  editor = "de Boer, Frank S. and Marcello M. Bonsangue and
+                  Susanne Graf and de Roever, Willem-Paul",
+  series = lncs,
+  volume = 4111,
+  publisher = "Springer",
+  month = sep,
+  year = 2006,
+  pages = "364-387"
+}
+
+@InCollection{JacobsRutten:IntroductionCoalgebra,
+  author = 	 {Bart Jacobs and Jan Rutten},
+  title = 	 {An Introduction to (Co)Algebra and (Co)Induction},
+  booktitle = 	 {Advanced Topics in Bisimulation and Coinduction},
+  editor =	 {Davide Sangiorgi and Jan Rutten},
+  series =	 {Cambridge Tracts in Theoretical Computer Science},
+  number =	 {52},
+  publisher =	 {Cambridge University Press},
+  month =	 oct,
+  year =	 {2011},
+  pages =	 {38-99},
+}
+
+@Book{Chlipala,
+  author = 	 {Adam Chlipala},
+  title = 	 {Certified Programming with Dependent Types},
+  publisher = 	 {MIT Press},
+  year = 	 {To appear},
+  note =         {http://adam.chlipala.net/cpdt/}
+}
+
+@Misc{Charity,
+  author =	 {Robin Cockett},
+  title =	 {The {CHARITY} home page},
+  howpublished = {\url{http://pll.cpsc.ucalgary.ca/charity1/www/home.html}},
+  year =	 {1996},
+}
+
+@Article{Tarski:theorem,
+  author = "Alfred Tarski",
+  title = "A lattice-theoretical fixpoint theorem and its applications",
+  journal = "Pacific Journal of Mathematics",
+  year = 1955,
+  volume = 5,
+  pages = "285-309"
+}
+
+@InProceedings{PVS,
+  author = "Sam Owre and S. Rajan and John M. Rushby and Natarajan
+		  Shankar and Mandayam K. Srivas",
+  title = "{PVS}: Combining Specification, Proof Checking, and Model
+		  Checking",
+  editor = "Rajeev Alur and Thomas A. Henzinger",
+  booktitle = "Computer Aided Verification, 8th International
+		  Conference, CAV '96",
+  volume = 1102,
+  series = lncs,
+  publisher = "Springer",
+  year = 1996,
+  pages = "411-414"
+}
+
+@InProceedings{SonnexEtAl:Zeno,
+  author = 	 {William Sonnex and Sophia Drossopoulou and Susan Eisenbach},
+  title = 	 {Zeno: An Automated Prover for Properties of Recursive
+                  Data Structures},
+  booktitle =	 {Tools and Algorithms for the Construction and Analysis of
+                  Systems --- 18th International Conference, TACAS 2012},
+  editor =	 {Cormac Flanagan and Barbara K{\"o}nig},
+  volume =	 {7214},
+  series =	 lncs,
+  year =	 {2012},
+  month =	 mar # "--" # apr,
+  publisher =	 {Springer},
+  pages =	 {407-421},
+}
+
+@InProceedings{JohanssonEtAl:IPT2010,
+  author = 	 {Moa Johansson and Lucas Dixon and Alan Bundy},
+  title = 	 {Case-Analysis for {R}ippling and Inductive Proof},
+  booktitle =	 {Interactive Theorem Proving, First International Conference, ITP 2010},
+  editor =	 {Matt Kaufmann and Lawrence C. Paulson},
+  volume =	 {6172},
+  series =	 lncs,
+  publisher =	 {Springer},
+  month =	 jul,
+  year =	 {2010},
+  pages =	 {291-306},
+}
+
+@book{Milner:CCS,
+ author = "Robin Milner",
+ title = {A  Calculus of Communicating Systems},
+ year = {1982},
+ isbn = {0387102353},
+ publisher = {Springer-Verlag New York, Inc.},
+}
+
+@InProceedings{BoehmeNipkow:Sledgehammer,
+  author = 	 {Sascha B{\"o}hme and Tobias Nipkow},
+  title = 	 {Sledgehammer: {J}udgement {D}ay},
+  booktitle =	 {Automated Reasoning, 5th International Joint Conference, IJCAR 2010},
+  editor =	 {J{\"u}rgen Giesl and Reiner H{\"a}hnle},
+  year =	 {2010},
+  pages =	 {107-121},
+  volume =	 {6173},
+  series =	 lncs,
+  month =	 jul,
+  publisher =	 {Springer},
+}
+
+@PhdThesis{Norell:PhD,
+  author = 	 {Ulf Norell},
+  title = 	 {Towards a practical programming language based on dependent type theory},
+  school = 	 {Department of Computer Science and Engineering, Chalmers
+                  University of Technology},
+  year = 	 {2007},
+  month =	 sep,
+}
+
+@Article{Paulson:MechanizingCoRecursion,
+  author = 	 {Lawrence C. Paulson},
+  title = 	 {Mechanizing Coinduction and Corecursion in Higher-order Logic},
+  journal = 	 {Journal of Logic and Computation},
+  year = 	 {1997},
+  volume =	 {7},
+}
+
+@InProceedings{Bertot:sieve,
+  author = 	 {Yves Bertot},
+  title = 	 {Filters on CoInductive Streams, an Application to {E}ratosthenes' Sieve},
+  booktitle =	 {Typed Lambda Calculi and Applications, 7th International Conference,
+                  TLCA 2005},
+  editor =	 {Pawel Urzyczyn},
+  series =	 lncs,
+  volume =	 {3461},
+  month =	 apr,
+  year =	 {2005},
+  pages =	 {102-115},
+  publisher =	 {Springer},
+}
+
+@Misc{AltenkirchDanielsson:QuantifierInversion,
+  author =	 {Thorsten Altenkirch and Nils Anders Danielsson},
+  title =	 {Termination Checking in the Presence of Nested Inductive and Coinductive Types},
+  howpublished = {Short note supporting a talk given at PAR 2010, Workshop on Partiality and Recursion in Interactive Theorem Provers},
+  year =	 {2010},
+  note =	 {Available from \url{http://www.cse.chalmers.se/~nad/publications/}.},
+}
+
+@InProceedings{HurEtAl:Paco,
+  author = {Hur, Chung-Kil and Neis, Georg and Dreyer, Derek and Vafeiadis, Viktor},
+  title = {The power of parameterization in coinductive proof},
+  booktitle = {Proceedings of the 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '13},
+  editor =	 {Roberto Giacobazzi and Radhia Cousot},
+  pages = {193--206},
+  month = jan,
+  year =	 {2013},
+  publisher =	 {ACM},
+}
+
+@InProceedings{BoveDybjerNorell:BriefAgda,
+  author = 	 {Ana Bove and Peter Dybjer and Ulf Norell},
+  title = 	 {A Brief Overview of {A}gda --- A Functional Language with Dependent Types},
+  booktitle =	 {Theorem Proving in Higher Order Logics, 22nd International Conference, TPHOLs 2009},
+  editor =	 {Stefan Berghofer and Tobias Nipkow and Christian Urban and Makarius Wenzel},
+  series =	 lncs,
+  volume =	 {5674},
+  publisher =	 {Springer},
+  month =	 aug,
+  year =	 {2009},
+  pages =	 {73-78},
+}
+
+@Article{Moore:Piton,
+  author = 	 {J Strother Moore},
+  title = 	 {A Mechanically Verified Language Implementation},
+  journal = 	 {Journal of Automated Reasoning},
+  year = 	 {1989},
+  volume =	 {5},
+  number =	 {4},
+  pages =	 {461-492},
+}
+
+@InProceedings{Leroy:ESOP2006,
+  author = 	 {Xavier Leroy},
+  title = 	 {Coinductive Big-Step Operational Semantics},
+  booktitle =	 {Programming Languages and Systems, 15th European Symposium on Programming, ESOP 2006},
+  pages =	 {54-68},
+  year =	 {2006},
+  editor =	 {Peter Sestoft},
+  volume =	 {3924},
+  series =	 lncs,
+  month =	 mar,
+  publisher =	 {Springer},
+}
+
+@InProceedings{Leino:ITP2013,
+  author = 	 {K. Rustan M. Leino},
+  title = 	 {Automating Theorem Proving with {SMT}},
+  booktitle =	 {Interactive Theorem Proving --- 4th International Conference, ITP 2013},
+  year =	 {2013},
+  editor =	 {Sandrine Blazy and Christine Paulin-Mohring and David Pichardie},
+  volume =	 {7998},
+  series =	 lncs,
+  pages =	 {2-16},
+  month =	 jul,
+  publisher =	 {Springer},
+}
+
+@TechReport{TR-version,
+  author = 	 {K. Rustan M. Leino and Micha{\l} Moskal},
+  title = 	 {Co-induction Simply:  Automatic Co-inductive Proofs in a Program Verifier},
+  institution =  {Microsoft Research},
+  year = 	 {2013},
+  number =	 {MSR-TR-2013-49},
+  month =	 may,
+}
diff --git a/v4.10.0/DafnyRef/poc.bib b/v4.10.0/DafnyRef/poc.bib
new file mode 100644
index 0000000..51747a0
--- /dev/null
+++ b/v4.10.0/DafnyRef/poc.bib
@@ -0,0 +1,523 @@
+@string{lncs = "LNCS"}
+@string{lnai = "LNAI"}
+
+@InCollection{LeinoMoskal:UsableProgramVerification,
+  author = 	 {K. Rustan M. Leino and Micha{\l} Moskal},
+  title = 	 {Usable Auto-Active Verification},
+  booktitle = 	 {Usable Verification workshop},
+  year =	 {2010},
+  editor =	 {Tom Ball and Lenore Zuck and N. Shankar},
+  publisher =	 {\url{http://fm.csl.sri.com/UV10/}},
+}
+  booktitle = 	 {UV10 (Usable Verification) workshop},
+  month =	 nov,
+
+@Book{Coq:book,
+  author =	 {Yves Bertot and Pierre Cast{\'e}ran},
+  title = 	 {Interactive Theorem Proving and Program Development --- {C}oq'{A}rt: The Calculus of Inductive Constructions},
+  publisher = 	 {Springer},
+  year = 	 {2004},
+}
+  series =	 {Texts in Theoretical Computer Science},
+
+@Manual{Isabelle:Guide,
+  title = 	 {Programming and Proving in {I}sabelle/{HOL}},
+  author =	 {Tobias Nipkow},
+  organization = {\url{http://isabelle.informatik.tu-muenchen.de/}},
+  year =	 {2012},
+}
+  month = 	 may,
+
+@InProceedings{Leino:Dafny:LPAR16,
+  author =       {K. Rustan M. Leino},
+  title =        {Dafny: An Automatic Program Verifier for Functional Correctness},
+  booktitle =    {LPAR-16},
+  year =         {2010},
+  volume =       {6355},
+  series =       lncs,
+  publisher =    {Springer},
+  pages =        {348-370},
+}
+  editor =       {Edmund M. Clarke and Andrei Voronkov},
+  month =        apr,
+
+@InProceedings{VCC:TPHOLs,
+  author =       {Ernie Cohen and Markus Dahlweid and Mark
+                  A. Hillebrand and Dirk Leinenbach and Micha{\l}
+                  Moskal and Thomas Santen and Wolfram Schulte and
+                  Stephan Tobies},
+  title =        {{VCC}: A Practical System for Verifying Concurrent {C}},
+  booktitle =    {TPHOLs 2009},
+  volume =       {5674},
+  series =       lncs,
+  publisher =    {Springer},
+  year =         {2009},
+  pages =        {23-42},
+}
+  booktitle =    {Theorem Proving in Higher Order Logics, 22nd International Conference, TPHOLs 2009},
+  editor =       {Stefan Berghofer and Tobias Nipkow and Christian
+                  Urban and Makarius Wenzel},
+  month =        aug,
+
+@TechReport{VeriFast:TR,
+  author =       {Bart Jacobs and Frank Piessens},
+  title =        {The {VeriFast} program verifier},
+  institution =  {Department of Computer Science, Katholieke Universiteit Leuven},
+  year =         {2008},
+  number =       {CW-520},
+}
+  month =        aug,
+
+@InProceedings{VeriFast:ProgramsAsProofs,
+  author = 	 {Bart Jacobs and Jan Smans and Frank Piessens},
+  title = 	 {{VeriFast}: Imperative Programs as Proofs},
+  booktitle =	 {VS-Tools workshop at VSTTE 2010},
+  year =	 {2010},
+}
+  month =	 aug,
+
+@Article{IPL:vol53:3,
+  author = 	 {Roland Backhouse},
+  title = 	 {Special issue on The Calculational Method},
+  journal = 	 {Information Processing Letters},
+  year = 	 {1995},
+  volume =	 {53},
+  number =	 {3},
+  pages =        {121-172},
+}
+  month =	 feb,
+
+@InProceedings{VonWright:ExtendingWindowInference,
+  author = 	 {von Wright, Joakim},
+  title = 	 {Extending Window Inference},
+  booktitle =	 {TPHOLs'98},
+  pages =	 {17-32},
+  year =	 {1998},
+  volume =	 {1479},
+  series =	 lncs,
+  publisher =	 {Springer},
+}
+  booktitle =	 {Theorem Proving in Higher Order Logics, 11th International Conference, TPHOLs'98},
+  editor =	 {Jim Grundy and Malcolm C. Newey},
+
+@PhdThesis{Wenzel:PhD,
+  author = 	 {Markus Wenzel},
+  title = 	 {{I}sabelle/{I}sar --- a versatile environment for human-readable formal proof documents},
+  school = 	 {Institut f{\"u}r Informatik, Technische Universit{\"a}t M{\"u}nchen},
+  year = 	 {2002},
+}
+
+@InProceedings{BauerWenzel:IsarExperience,
+  author = 	 {Gertrud Bauer and Markus Wenzel},
+  title = 	 {Calculational reasoning revisited: an {I}sabelle/{I}sar experience},
+  booktitle =	 {TPHOLs 2001},
+  pages =	 {75-90},
+  year =	 {2001},
+  volume =	 {2152},
+  series =	 lncs,
+  publisher =	 {Springer},
+}
+  booktitle =	 {Theorem Proving in Higher Order Logics, 14th International Conference, TPHOLs 2001},
+  editor =	 {Richard J. Boulton and Paul B. Jackson},
+  month =	 sep,
+
+@InCollection{KoenigLeino:MOD2011,
+  author =    {Jason Koenig and K. Rustan M. Leino},
+  title =     {Getting Started with {D}afny: A Guide},
+  booktitle = {Software Safety and Security:  Tools for Analysis and Verification},
+  pages =     {152-181},
+  publisher = {IOS Press},
+  year =      {2012},
+}
+  volume =    {33},
+  series =    {NATO Science for Peace and Security Series D: Information and Communication Security},
+  editor =    {Tobias Nipkow and Orna Grumberg and Benedikt Hauptmann},
+  note =      {Summer School Marktoberdorf 2011 lecture notes},
+
+@InProceedings{Leino:induction,
+  author = 	 {K. Rustan M. Leino},
+  title = 	 {Automating Induction with an {SMT} Solver},
+  booktitle =	 {VMCAI 2012},
+  pages =	 {315-331},
+  year =	 {2012},
+  volume =	 {7148},
+  series =	 lncs,
+  publisher =	 {Springer},
+}
+  booktitle =	 {Verification, Model Checking, and Abstract Interpretation - 13th International Conference, VMCAI 2012},
+  editor =	 {Viktor Kuncak and Andrey Rybalchenko},
+  month =	 jan,
+
+@article{Hoare:AxiomaticBasis,
+  author    = "C. A. R. Hoare",
+  title     = "An axiomatic basis for computer programming",
+  journal   = cacm,
+  volume    = 12,
+  number    = 10,
+  year      = 1969,
+  pages     = "576--580,583"
+}
+  month     = oct,
+
+@Article{Simplify:tome,
+  author = "David Detlefs and Greg Nelson and James B. Saxe",
+  title = "Simplify: a theorem prover for program checking",
+  journal = JACM,
+  volume = 52,
+  number = 3,
+  year = 2005,
+  pages = "365-473",
+}
+  month = may,
+
+@techreport{Nelson:thesis,
+  author = "Charles Gregory Nelson",
+  title = "Techniques for Program Verification",
+  institution = "Xerox PARC",
+  year = 1981,
+  number = "CSL-81-10",
+  note = "PhD thesis, Stanford University"
+}
+  month = jun,
+
+@inproceedings{deMouraBjorner:Z3:overview,
+  author    = "de Moura, Leonardo and Nikolaj Bj{\o}rner",
+  title     = {{Z3}: An efficient {SMT} solver},
+  booktitle = {Tools and Algorithms for the Construction and
+                  Analysis of Systems, 14th International Conference,
+                  TACAS 2008},
+  series    = lncs,
+  volume    = 4963,
+  publisher = {Springer},
+  year      = 2008,
+  pages     = {337-340},
+}
+  editor    = {C. R. Ramakrishnan and Jakob Rehof},
+  month     = mar # "--" # apr,
+
+@InProceedings{LGLM:BVD,
+  author = 	 {Le Goues, Claire and K. Rustan M. Leino and Micha{\l} Moskal},
+  title = 	 {The {B}oogie {V}erification {D}ebugger (Tool Paper)},
+  booktitle =	 {Software Engineering and Formal Methods - 9th International Conference, SEFM 2011},
+  pages =	 {407-414},
+  year =	 {2011},
+  volume =	 {7041},
+  series =	 lncs,
+  publisher =	 {Springer},
+}
+  editor =	 {Gilles Barthe and Alberto Pardo and Gerardo Schneider},
+  month =	 nov,
+
+@InProceedings{HipSpec:WING,
+  author = 	 {Koen Claessen and Moa Johansson and Dan Ros{\'e}n and Nicholas Smallbone},
+  title = 	 {{HipSpec}: Automating Inductive Proofs of Program Properties},
+  booktitle =	 {Workshop on {A}utomated {T}heory e{X}ploration: {ATX} 2012},
+  year =	 {2012},
+}
+  month =	 jul,
+
+@InProceedings{HipSpec:CADE,
+  author = 	 {Koen Claessen and Moa Johansson and Dan Ros{\'e}n and Nicholas Smallbone},
+  title = 	 {Automating Inductive Proofs Using Theory Exploration},
+  booktitle =	 {CADE-24},
+  pages =	 {392-406},
+  year =	 {2013},
+  volume =	 {7898},
+  series =	 lncs,
+  publisher =	 {Springer},
+}
+  booktitle =	 {Automated Deduction --- CADE-24 --- 24th International Conference on Automated Deduction},
+  editor =	 {Maria Paola Bonacina},
+  month =	 jun,
+
+@article{ManoliosMoore:Calc,
+  author    = {Panagiotis Manolios and J. Strother Moore},
+  title     = {On the desirability of mechanizing calculational proofs},
+  journal   = {Inf. Process. Lett.},
+  volume    = {77},
+  number    = {2-4},
+  year      = {2001},
+  pages     = {173-179},
+  ee        = {http://dx.doi.org/10.1016/S0020-0190(00)00200-3},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@article{Lifschitz:DS,
+  title={On Calculational Proofs},
+  author={Vladimir Lifschitz},
+  volume={113},
+  journal={Annals of Pure and Applied Logic},
+  pages={207-224},
+  url="http://www.cs.utexas.edu/users/ai-lab/pub-view.php?PubID=26805",
+  year={2002}
+}
+
+@article{BackGrundyWright:SCP,
+  author      = {Ralph Back and Jim Grundy and Joakim von Wright},
+  title       = {Structured Calculational Proof},
+  journal     = {Formal Aspects of Computing},
+  year        = {1997},
+  volume      = {9},
+  number      = {5--6},
+  pages       = {469--483}
+}
+
+@article{Back:SD,
+ author = {Back, Ralph-Johan},
+ title = {Structured derivations: a unified proof style for teaching mathematics},
+ journal = {Formal Aspects of Computing},
+ issue_date = {September 2010},
+ volume = {22},
+ number = {5},
+ year = {2010},
+ issn = {0934-5043},
+ pages = {629--661},
+ numpages = {33},
+ url = {http://dx.doi.org/10.1007/s00165-009-0136-5},
+ doi = {10.1007/s00165-009-0136-5},
+ acmid = {1858559},
+ publisher = {Springer},
+}
+ month = sep,
+
+@article{Dijkstra:EWD1300,
+  author    = {Edsger W. Dijkstra},
+  title     = {{EWD1300}: The Notational Conventions {I} Adopted, and Why},
+  journal   = {Formal Asp. Comput.},
+  volume    = {14},
+  number    = {2},
+  year      = {2002},
+  pages     = {99-107},
+  ee        = {http://dx.doi.org/10.1007/s001650200030},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@inproceedings{BCDJL05:Boogie,
+  author    = {Michael Barnett and
+               Bor-Yuh Evan Chang and
+               Robert DeLine and
+               Bart Jacobs and
+               K. Rustan M. Leino},
+  title     = {Boogie: A Modular Reusable Verifier for Object-Oriented
+               Programs},
+  booktitle = {FMCO 2005},
+  series = lncs,
+  volume = 4111,
+  publisher = "Springer",
+  year      = {2006},
+  pages     = {364-387},
+}
+  month = sep,
+
+@article{BVW:Mathpad,
+  author    = {Roland Backhouse and
+               Richard Verhoeven and
+               Olaf Weber},
+  title     = {Math{$\!\!\int\!\!$}pad: A System for On-Line Preparation of Mathematical
+               Documents},
+  journal   = {Software --- Concepts and Tools},
+  volume    = {18},
+  number    = {2},
+  year      = {1997},
+  pages     = {80-},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@inproceedings{VB:MathpadPVS,
+  author    = {Richard Verhoeven and
+               Roland Backhouse},
+  title     = {Interfacing Program Construction and Verification},
+  booktitle = {World Congress on Formal Methods},
+  year      = {1999},
+  pages     = {1128-1146},
+  ee        = {http://dx.doi.org/10.1007/3-540-48118-4_10},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@inproceedings{Corbineau:CoqDecl,
+  author    = {Pierre Corbineau},
+  title     = {A Declarative Language for the {Coq} Proof Assistant},
+  booktitle = {TYPES},
+  year      = {2007},
+  pages     = {69-84},
+  ee        = {http://dx.doi.org/10.1007/978-3-540-68103-8_5},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@inproceedings{Wiedijk:Sketches,
+  author    = {Freek Wiedijk},
+  title     = {Formal Proof Sketches},
+  booktitle = {TYPES},
+  year      = {2003},
+  pages     = {378-393},
+  ee        = {http://dx.doi.org/10.1007/978-3-540-24849-1_24},
+  crossref  = {DBLP:conf/types/2003},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@book{DijkstraScholten:Book,
+  author    = {Edsger W. Dijkstra and
+               Carel S. Scholten},
+  title     = {Predicate calculus and program semantics},
+  publisher = {Springer},
+  series    = {Texts and monographs in computer science},
+  year      = {1990},
+  isbn      = {978-3-540-96957-0},
+  pages     = {I-X, 1-220},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@inproceedings{Rudnicki:Mizar,
+    author = {Piotr Rudnicki},
+    title = {An Overview of the {MIZAR} Project},
+    booktitle = {University of Technology, Bastad},
+    year = {1992},
+    pages = {311--332},
+    publisher = {}
+}
+
+@inproceedings{ORS:PVS,
+    AUTHOR = {S. Owre and J. M. Rushby and N. Shankar},
+    TITLE = {{PVS:} {A} Prototype Verification System},
+    BOOKTITLE = {CADE-11},
+    YEAR = {1992},
+    SERIES = lnai,
+    VOLUME = {607},
+    PAGES = {748--752},
+    PUBLISHER = {Springer},
+    URL = {http://www.csl.sri.com/papers/cade92-pvs/}
+}
+    BOOKTITLE = {11th International Conference on Automated Deduction (CADE)},
+    EDITOR = {Deepak Kapur},
+
+@article{Robinson:Window,
+  author    = {Peter J. Robinson and
+               John Staples},
+  title     = {Formalizing a Hierarchical Structure of Practical Mathematical
+               Reasoning},
+  journal   = {J. Log. Comput.},
+  volume    = {3},
+  number    = {1},
+  year      = {1993},
+  pages     = {47-61},
+  ee        = {http://dx.doi.org/10.1093/logcom/3.1.47},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@article{Grundy:WindowHOL,
+  author    = {Jim Grundy},
+  title     = {Transformational Hierarchical Reasoning},
+  journal   = {Comput. J.},
+  volume    = {39},
+  number    = {4},
+  year      = {1996},
+  pages     = {291-302},
+  ee        = {http://dx.doi.org/10.1093/comjnl/39.4.291},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@inproceedings{BN:Sledgehammer,
+  author    = {Sascha B{\"o}hme and
+               Tobias Nipkow},
+  title     = {Sledgehammer: Judgement Day},
+  booktitle = {IJCAR},
+  year      = {2010},
+  pages     = {107-121},
+  ee        = {http://dx.doi.org/10.1007/978-3-642-14203-1_9},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@inproceedings{Armand:CoqSMT,
+  author    = {Micha{\"e}l Armand and
+               Germain Faure and
+               Benjamin Gr{\'e}goire and
+               Chantal Keller and
+               Laurent Th{\'e}ry and
+               Benjamin Werner},
+  title     = {A Modular Integration of {SAT}/{SMT} Solvers to {Coq} through
+               Proof Witnesses},
+  booktitle = {CPP},
+  year      = {2011},
+  pages     = {135-150},
+  ee        = {http://dx.doi.org/10.1007/978-3-642-25379-9_12},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@inproceedings{Besson:CoqSMTReflexive,
+  author    = {Fr{\'e}d{\'e}ric Besson and
+               Pierre-Emmanuel Cornilleau and
+               David Pichardie},
+  title     = {Modular SMT Proofs for Fast Reflexive Checking Inside Coq},
+  booktitle = {CPP},
+  year      = {2011},
+  pages     = {151-166},
+  ee        = {http://dx.doi.org/10.1007/978-3-642-25379-9_13},
+  crossref  = {DBLP:conf/cpp/2011},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@Book{ACL2:book,
+  author =	 {Matt Kaufmann and Panagiotis Manolios and J Strother Moore},
+  title = 	 {Computer-Aided Reasoning: An Approach},
+  publisher = 	 {Kluwer Academic Publishers},
+  year = 	 {2000},
+}
+
+@inproceedings{boogie11why3,
+  author = {Fran\c{c}ois Bobot and Jean-Christophe Filli\^atre and Claude March\'e and Andrei Paskevich},
+  title = {{Why3}: Shepherd Your Herd of Provers},
+  booktitle = {BOOGIE 2011: Workshop on Intermediate Verification Languages},
+  year = 2011,
+  pages = {53--64},
+  url = {http://proval.lri.fr/publications/boogie11final.pdf},
+}
+  booktitle = {BOOGIE 2011: First International Workshop on Intermediate Verification Languages},
+  month = aug,
+
+@InProceedings{zeno,
+  author = 	 {William Sonnex and Sophia Drossopoulou and Susan Eisenbach},
+  title = 	 {Zeno: An Automated Prover for Properties of Recursive
+                  Data Structures},
+  booktitle =	 {TACAS},
+  volume =	 {7214},
+  series =	 lncs,
+  year =	 {2012},
+  publisher =	 {Springer},
+  pages =	 {407-421},
+}
+  booktitle =	 {Tools and Algorithms for the Construction and Analysis of
+                  Systems --- 18th International Conference, TACAS 2012},
+  editor =	 {Cormac Flanagan and Barbara K{\"o}nig},
+  month =	 mar # "--" # apr,
+
+@InProceedings{Chisholm:CalculationByComputer,
+  author = 	 {P. Chisholm},
+  title = 	 {Calculation by computer},
+  booktitle =	 {Third International Workshop on Software Engineering and its Applications},
+  address =	 {Toulouse, France},
+  year =	 {1990},
+  month =	 dec,
+  pages =	 {713-728},
+}
+
+@TechReport{VanDeSnepscheut:Proxac,
+  author = 	 {van de Snepscheut, Jan L. A.},
+  title = 	 {Proxac: an editor for program transformation},
+  institution =  {Caltech},
+  year = 	 {1993},
+  number =	 {CS-TR-93-33},
+}
+
+@InProceedings{VanGasterenBijlsma:CalcExtension,
+  author = 	 {A. J. M. van Gasteren and A. Bijlsma},
+  title = 	 {An extension of the program derivation format},
+  booktitle =	 {PROCOMET '98},
+  pages =	 {167-185},
+  year =	 {1998},
+  publisher =	 {IFIP Conference Proceedings},
+}
+  booktitle =	 {Programming Concepts and Methods, IFIP TC2/WG2.2,2.3 International Conference on
+                  Programming Concepts and Methods (PROCOMET '98)},
+  editor =	 {David Gries and Willem P. de Roever},
+  month =	 jun,
+
diff --git a/v4.10.0/DafnyRef/references.bib b/v4.10.0/DafnyRef/references.bib
new file mode 100644
index 0000000..da84807
--- /dev/null
+++ b/v4.10.0/DafnyRef/references.bib
@@ -0,0 +1,1446 @@
+@InCollection{Leino:Dafny:MOD2008,
+  author =    {K. Rustan M. Leino},
+  title =     {Specification and verification of object-oriented software},
+  booktitle = {Engineering Methods and Tools for Software Safety and Security},
+  pages =     {231-266},
+  publisher = {IOS Press},
+  year =      {2009},
+  editor =    {Manfred Broy and Wassiou Sitou and Tony Hoare},
+  volume =    {22},
+  series =    {NATO Science for Peace and Security Series D: Information and Communication Security},
+  note =      {Summer School Marktoberdorf 2008 lecture notes},
+}
+
+@InCollection{LeinoSchulte:MOD2006,
+  author =    {K. Rustan M. Leino and Wolfram Schulte},
+  title =     {A verifying compiler for a multi-threaded object-oriented language},
+  booktitle = {Software Safety and Security},
+  pages =     {351-416},
+  publisher = {IOS Press},
+  year =      {2007},
+  editor =    {Manfred Broy and Johannes Gr{\"u}nbauer and Tony Hoare},
+  volume =    {9},
+  series =    {NATO Science for Peace and Security Series D: Information and Communication Security},
+  note =      {Summer School Marktoberdorf 2006 lecture notes},
+}
+
+@techreport{ESC:rr,
+  author = "David L. Detlefs and K. Rustan M. Leino and Greg Nelson
+                  and James B. Saxe",
+  title = "Extended static checking",
+  institution = "Compaq Systems Research Center",
+  month = dec,
+  year = 1998,
+  type = "Research Report",
+  number = 159
+}
+
+@Article{Simplify:tome,
+  author = "David Detlefs and Greg Nelson and James B. Saxe",
+  title = "Simplify: a theorem prover for program checking",
+  journal = JACM,
+  volume = 52,
+  number = 3,
+  month = may,
+  year = 2005,
+  pages = "365-473",
+}
+
+@InProceedings{Doomed:FM2009,
+  author =       {Jochen Hoenicke and K. Rustan M. Leino and Andreas
+                  Podelski and Martin Sch{\"a}f and Thomas Wies},
+  title =        {It's Doomed; We Can Prove It},
+  booktitle =    {FM 2009: Formal Methods, Second World Congress},
+  editor =       {Ana Cavalcanti and Dennis Dams},
+  volume =       5850,
+  series =       lncs,
+  publisher =    {Springer},
+  month =        nov,
+  year =         2009,
+  pages =        {338-353},
+}
+
+@InProceedings{Regis-Gianas:Pottier:MPC2008,
+  author =       {Yann R{\'e}gis-Gianas and Fran{\c{c}}ois Pottier},
+  title =        {A {Hoare} Logic for Call-by-Value Functional Programs},
+  booktitle =    {Mathematics of Program Construction, 9th International Conference},
+  editor =       {Philippe Audebaud and Christine Paulin-Mohring},
+  volume =       {5133},
+  series =       lncs,
+  publisher =    {Springer},
+  month =        jul,
+  year =         {2008},
+  pages =        {305-335},
+}
+
+@InProceedings{ZeeKuncakRinard:PLDI2008,
+  author =       {Karen Zee and Viktor Kuncak and Martin C. Rinard},
+  title =        {Full functional verification of linked data structures},
+  booktitle =    {Proceedings of the ACM SIGPLAN 2008 Conference on
+                  Programming Language Design and Implementation},
+  editor =       {Rajiv Gupta and Saman P. Amarasinghe},
+  year =         {2008},
+  month =        jun,
+  publisher =    {ACM},
+  pages =        {349-361},
+}
+
+@InProceedings{VCC:TPHOLs,
+  author =       {Ernie Cohen and Markus Dahlweid and Mark
+                  A. Hillebrand and Dirk Leinenbach and Micha{\l}
+                  Moskal and Thomas Santen and Wolfram Schulte and
+                  Stephan Tobies},
+  title =        {{VCC}: A Practical System for Verifying Concurrent {C}},
+  booktitle =    {Theorem Proving in Higher Order Logics, 22nd
+                  International Conference, TPHOLs 2009},
+  editor =       {Stefan Berghofer and Tobias Nipkow and Christian
+                  Urban and Makarius Wenzel},
+  volume =       {5674},
+  series =       lncs,
+  publisher =    {Springer},
+  year =         {2009},
+  month =        aug,
+  pages =        {23-42},
+}
+
+@InProceedings{seL4:SOSP2009,
+  author =       {Gerwin Klein and Kevin Elphinstone and Gernot Heiser
+                  and June Andronick and David Cock and Philip Derrin
+                  and Dhammika Elkaduwe and Kai Engelhardt and Rafal
+                  Kolanski and Michael Norrish and Thomas Sewell and
+                  Harvey Tuch and Simon Winwood},
+  title =        {{seL4}: formal verification of an {OS} kernel},
+  booktitle =    {Proceedings of the 22nd ACM Symposium on Operating
+                  Systems Principles 2009, SOSP 2009},
+  editor =       {Jeanna Neefe Matthews and Thomas E. Anderson},
+  publisher =    {ACM},
+  month =        oct,
+  year =         {2009},
+  pages =        {207-220},
+}
+
+@book{Meyer:OOP,
+  author = "Bertrand Meyer",
+  title = "Object-oriented Software Construction",
+  publisher = "Prentice-Hall International",
+  series = "Series in Computer Science",
+  year = 1988
+}
+
+@InProceedings{SpecSharp:Overview,
+  author =   {Mike Barnett and K. Rustan M. Leino and Wolfram Schulte},
+  title =    {The {Spec\#} Programming System: An Overview},
+  booktitle = {{CASSIS 2004}, Construction and Analysis of Safe,
+               Secure and Interoperable Smart devices},
+  editor = "Gilles Barthe and Lilian Burdy and Marieke Huisman and
+                  Jean-Louis Lanet and Traian Muntean",
+  series = lncs,
+  volume = 3362,
+  publisher = "Springer",
+  year = 2005,
+  pages = "49-69"
+}
+
+@InProceedings{Kassios:FM2006,
+  author = "Ioannis T. Kassios",
+  title = "Dynamic Frames: Support for Framing, Dependencies and Sharing Without Restrictions",
+  booktitle = "FM 2006: Formal Methods, 14th International Symposium on Formal Methods",
+  editor = "Jayadev Misra and Tobias Nipkow and Emil Sekerinski",
+  series = lncs,
+  volume = 4085,
+  publisher = "Springer",
+  month = aug,
+  year = 2006,
+  pages = "268-283",
+}
+
+@InProceedings{Boogie:Architecture,
+  author = "Mike Barnett and Bor-Yuh Evan Chang and Robert DeLine and
+                  Bart Jacobs and K. Rustan M. Leino",
+  title = "{B}oogie: A Modular Reusable Verifier for Object-Oriented Programs",
+  booktitle = "Formal Methods for Components and Objects:  4th
+                  International Symposium, FMCO 2005",
+  editor = "de Boer, Frank S. and Marcello M. Bonsangue and
+                  Susanne Graf and de Roever, Willem-Paul",
+  series = lncs,
+  volume = 4111,
+  publisher = "Springer",
+  month = sep,
+  year = 2006,
+  pages = "364-387"
+}
+
+@Misc{Leino:Boogie2-RefMan,
+  author = {K. Rustan M. Leino},
+  title = {This is {B}oogie 2},
+  howpublished = {Manuscript KRML 178},
+  year = 2008,
+  note = "Available at \url{http://research.microsoft.com/~leino/papers.html}",
+}
+
+@inproceedings{deMouraBjorner:Z3:overview,
+  author    = "de Moura, Leonardo and Nikolaj Bj{\o}rner",
+  title     = {{Z3}: An efficient {SMT} solver},
+  booktitle = {Tools and Algorithms for the Construction and
+                  Analysis of Systems, 14th International Conference,
+                  TACAS 2008},
+  editor    = {C. R. Ramakrishnan and Jakob Rehof},
+  series    = lncs,
+  volume    = 4963,
+  publisher = {Springer},
+  month     = mar # "--" # apr,
+  year      = 2008,
+  pages     = {337-340},
+}
+
+@InProceedings{Gonthier:CAV2006,
+  author =    {Georges Gonthier},
+  title =     {Verifying the safety of a practical concurrent
+               garbage collector},
+  booktitle = {Computer Aided Verification, 8th International Conference, CAV '96},
+  editor =    {Rajeev Alur and Thomas A. Henzinger},
+  volume =    {1102},
+  series =    lncs,
+  publisher = {Springer},
+  month =     jul # "--" # aug,
+  year =      {1996},
+  pages =     {462-465},
+}
+
+@Article{CLIncStack,
+  author =    {William R. Bevier and Hunt, Jr., Warren A. and
+                  J Strother Moore and William D. Young},
+  title =     {Special issue on system verification},
+  journal =   {Journal of Automated Reasoning},
+  volume =    {5},
+  number =    {4},
+  month =     dec,
+  year =      {1989},
+  pages =     {409-530},
+}
+
+@InProceedings{ParkinsonBierman:POPL2005,
+  author =       {Matthew J. Parkinson and Gavin M. Bierman},
+  title =        {Separation logic and abstraction},
+  booktitle =    {Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium
+                  on Principles of Programming Languages, POPL 2005},
+  publisher =    {ACM},
+  month =        jan,
+  year =         {2005},
+  pages =        {247-258},
+}
+
+@InProceedings{Weide:VSTTE2008,
+  author =       {Bruce W. Weide and Murali Sitaraman and Heather
+                  K. Harton and Bruce Adcock and Paolo Bucci and
+                  Derek Bronish and Wayne D. Heym and Jason
+                  Kirschenbaum and David Frazier},
+  title =        {Incremental Benchmarks for Software Verification Tools and Techniques},
+  booktitle =    {Verified Software: Theories, Tools, Experiments,
+                  Second International Conference, VSTTE 2008},
+  editor =       {Natarajan Shankar and Jim Woodcock},
+  volume =       {5295},
+  series =       lncs,
+  publisher =    {Springer},
+  month =        oct,
+  year =         {2008},
+  pages =        {84-98},
+}
+
+@Article{SchorrWaite:CACM1967,
+  author =       {H. Schorr and W. M. Waite},
+  title =        {An Efficient Machine-Independent Procedure for
+                  Garbage Collection in Various List Structures},
+  journal =      cacm,
+  volume =       {10},
+  number =       {8},
+  month =        aug,
+  year =         {1967},
+  pages =        {501-506},
+}
+
+@phdthesis{Leino:thesis,
+  author = "K. Rustan M. Leino",
+  title = "Toward Reliable Modular Programs",
+  school = {California Institute of Technology},
+  year = 1995,
+  note = "Technical Report Caltech-CS-TR-95-03."
+}
+
+@inproceedings{Boyland:SAS2003,
+  author =      {John Boyland},
+  title =       {Checking Interference with Fractional Permissions},
+  booktitle =   "Static Analysis, 10th International Symposium, SAS 2003",
+  editor =      {Radhia Cousot},
+  series =      lncs,
+  volume =      2694,
+  publisher =   "Springer",
+  year =        2003,
+  pages =       {55-72}
+}
+
+@InProceedings{Reynolds:SepLogic,
+  author =       {John C. Reynolds},
+  title =        {Separation Logic: A Logic for Shared Mutable Data Structures},
+  booktitle =    {17th IEEE Symposium on Logic in Computer Science (LICS 2002)},
+  publisher =    {IEEE Computer Society},
+  year =         {2002},
+  month =        jul,
+  pages =        {55-74},
+}
+
+@InProceedings{Clarke-Drossopoulou02,
+  author =	 {Dave Clarke and Sophia Drossopoulou},
+  title =	 {Ownership, encapsulation and the disjointness of
+                  type and effect},
+  booktitle =	 {Proceedings of the 2002 ACM SIGPLAN Conference on
+                  Object-Oriented Programming Systems, Languages and
+                  Applications, OOPSLA 2002},
+  publisher = {ACM},
+  Month =	 nov,
+  Year =	 2002,
+  pages =	 {292--310},
+}
+
+@InProceedings{FAP:OOPSLA1998,
+  author =       {Dave Clarke and John Potter and James Noble},
+  title =        {Ownership Types for Flexible Alias Protection},
+  booktitle =    {Proceedings of the 1998 ACM SIGPLAN Conference on
+                  Object-Oriented Programming Systems, Languages \&
+                  Applications (OOPSLA '98)},
+  publisher =    {ACM},
+  month =        oct,
+  year =         {1998},
+  pages =        {48-64},
+}
+
+@Article{LeinoNelson:tome,
+  author = "K. Rustan M. Leino and Greg Nelson",
+  title = "Data abstraction and information hiding",
+  journal = toplas,
+  month = sep,
+  year = 2002,
+  volume = 24,
+  number = 5,
+  pages = "491-553"
+}
+
+@PhdThesis{Darvas:thesis,
+  author =       {{\'A}d{\'a}m P{\'e}ter Darvas},
+  title =        {Reasoning About Data Abstraction in Contract Languages},
+  school =       {ETH Zurich},
+  year =         {2009},
+  note =         {Diss. ETH No. 18622},
+}
+
+@InProceedings{SmansEtAl:VeriCool,
+  author =       {Jan Smans and Bart Jacobs and Frank Piessens and Wolfram Schulte},
+  title =        {Automatic Verifier for {J}ava-Like Programs Based on Dynamic Frames},
+  booktitle =    {Fundamental Approaches to Software Engineering, 11th
+                  International Conference, FASE 2008},
+  editor =       {Jos{\'e} Luiz Fiadeiro and Paola Inverardi},
+  volume =       {4961},
+  series =       lncs,
+  publisher =    {Springer},
+  month =        mar # "--" # apr,
+  year =         {2008},
+  pages =        {261-275},
+}
+
+@inproceedings{Why:Platform,
+  author    = {Jean-Christophe Filli{\^a}tre and Claude March{\'e}},
+  title     = {The {Why}/{Krakatoa}/{Caduceus} Platform for Deductive Program Verification},
+  booktitle =    {Computer Aided Verification, 19th International Conference, CAV 2007},
+  editor =       {Werner Damm and Holger Hermanns},
+  volume =       {4590},
+  series =       lncs,
+  publisher =    {Springer},
+  month =        jul,
+  year =         {2007},
+  pages     = {173--177}
+}
+
+@InProceedings{BarrettTinelli:CVC3,
+  author =       {Clark Barrett and Cesare Tinelli},
+  title =        {{CVC3}},
+  booktitle =    {Computer Aided Verification, 19th International Conference, CAV 2007},
+  editor =       {Werner Damm and Holger Hermanns},
+  volume =       {4590},
+  series =       lncs,
+  publisher =    {Springer},
+  month =        jul,
+  year =         {2007},
+  pages =        {298-302},
+}
+
+@InProceedings{HubertMarche:SchorrWaite,
+  author =       {Thierry Hubert and Claude March{\'e}},
+  title =        {A case study of {C} source code verification: the
+                  {S}chorr-{W}aite algorithm},
+  booktitle =    {Third IEEE International Conference on Software
+                  Engineering and Formal Methods (SEFM 2005)},
+  editor =       {Bernhard K. Aichernig and Bernhard Beckert},
+  publisher =    {IEEE Computer Society },
+  month =        sep,
+  year =         {2005},
+  pages =        {190-199},
+}
+
+@Article{BroyPepper:SchorrWaite,
+  author =       {Manfred Broy and Peter Pepper},
+  title =        {Combining Algebraic and Algorithmic Reasoning: An
+                  Approach to the {S}chorr-{W}aite Algorithm},
+  journal =      toplas,
+  volume =       {4},
+  number =       {3},
+  month =        jul,
+  year =         {1982},
+  pages =        {362-381},
+}
+
+@Article{MehtaNipkow:SchorrWaite,
+  author =       {Farhad Mehta and Tobias Nipkow},
+  title =        {Proving pointer programs in higher-order logic},
+  journal =      {Information and Computation},
+  year =         {2005},
+  volume =       {199},
+  number =       {1--2},
+  pages =        {200-227},
+  month =        may # "--" # jun,
+}
+
+@InProceedings{Abrial:SchorrWaite,
+  author =       {Jean-Raymond Abrial},
+  title =        {Event Based Sequential Program Development:
+                  Application to Constructing a Pointer Program},
+  booktitle =    {FME 2003: Formal Methods, International Symposium of
+                  Formal Methods Europe},
+  editor =       {Keijiro Araki and Stefania Gnesi and Dino Mandrioli},
+  volume =       {2805},
+  series =       lncs,
+  publisher =    {Springer},
+  month =        sep,
+  year =         {2003},
+  pages =        {51-74},
+}
+
+@InCollection{Bubel:SchorrWaite,
+  author =       {Richard Bubel},
+  title =        {The Schorr-Waite-Algorithm},
+  booktitle =    {Verification of Object-Oriented Software: The {KeY} Approach},
+  crossref =     {KeY:book},
+  chapter =      {15},
+}
+
+@InProceedings{BanerjeeEtAl:RegionLogic,
+  author =    {Anindya Banerjee and David A. Naumann and Stan Rosenberg},
+  title =     {Regional Logic for Local Reasoning about Global Invariants},
+  booktitle = {ECOOP 2008 --- Object-Oriented Programming, 22nd European Conference},
+  editor =    {Jan Vitek},
+  series =    lncs,
+  volume =    5142,
+  publisher = {Springer},
+  month =     jul,
+  year =      2008,
+  pages =     {387-411},
+}
+
+@Book{Abrial:BBook,
+  author = "J.-R. Abrial",
+  title = "The {B}-Book: Assigning Programs to Meanings",
+  publisher = "Cambridge University Press",
+  year = 1996
+}
+
+@Book{Abrial:EventB:book,
+  author =       {Jean-Raymond Abrial},
+  title =        {Modeling in {Event-B}: System and Software Engineering},
+  publisher =    {Cambridge University Press},
+  year =         {2010},
+}
+
+@Article{MisraCook:Orc,
+  author =       {Jayadev Misra and William R. Cook},
+  title =        {Computation Orchestration: A Basis for Wide-Area Computing},
+  journal =      {Software and Systems Modeling},
+  year =         {2007},
+  volume =       6,
+  number =       1,
+  pages =        {83-110},
+  month =        mar,
+}
+
+@Book{Jackson:Alloy:book,
+  author =       {Daniel Jackson},
+  title =        {Software Abstractions: Logic, Language, and Analysis},
+  publisher =    {MIT Press},
+  year =         {2006},
+}
+
+@InProceedings{JacksonEtAl:Formula,
+  author =       {Ethan K. Jackson and Dirk Seifert and Markus
+                  Dahlweid and Thomas Santen and Nikolaj Bj{\o}rner
+                  and Wolfram Schulte},
+  title =        {Specifying and Composing Non-functional Requirements
+                  in Model-Based Development},
+  booktitle =    {Proceedings of the 8th International Conference on
+                  Software Composition},
+  pages =        {72-89},
+  year =         {2009},
+  editor =       {Alexandre Bergel and Johan Fabry},
+  series =       lncs,
+  volume =       {5634},
+  month =        jul,
+  publisher =    {Springer},
+}
+
+@InProceedings{HarelEtAl:PlayInPlayOut,
+  author =       {David Harel and Hillel Kugler and Rami Marelly and
+                  Amir Pnueli},
+  title =        {Smart {P}lay-out of Behavioral Requirements},
+  booktitle =    {Formal Methods in Computer-Aided Design, 4th
+                  International Conference, FMCAD 2002},
+  pages =        {378-398},
+  year =         {2002},
+  editor =       {Mark Aagaard and John W. O'Leary},
+  volume =       {2517},
+  series =       lncs,
+  month =        nov,
+  publisher =    {Springer},
+}
+
+@Article{Smith:KIDS-overview,
+  author = "Douglas R. Smith",
+  title = "{KIDS}: A Semi-Automatic Program Development System",
+  journal = {IEEE Transactions on Software Engineering },
+  volume = 16,
+  number = 9,
+  month = sep,
+  year = 1990,
+  pages = "1024-1043",
+}
+
+@article{Hoare:DataRepresentations,
+  author = "C. A. R. Hoare",
+  title = "Proof of correctness of data representations",
+  journal = acta,
+  volume = 1,
+  number = 4,
+  year = 1972,
+  pages = "271-281"
+}
+
+@InProceedings{Abrial:FM-in-practice,
+  author =       {Jean-Raymond Abrial},
+  title =        {Formal methods in industry: achievements, problems, future},
+  booktitle =    {28th International Conference on Software Engineering (ICSE 2006)},
+  editor =       {Leon J. Osterweil and H. Dieter Rombach and Mary Lou Soffa},
+  month =        may,
+  year =         {2006},
+  publisher =    {ACM},
+  pages =        {761-768},
+}
+
+@InProceedings{MartinEtAl:AsynchMIPS,
+  author =       {Alain J. Martin and Andrew Lines and Rajit Manohar
+                  and Mika Nystr{\"o}m and Paul I. P{\'e}nzes and
+                  Robert Southworth and Uri Cummings},
+  title =        {The Design of an Asynchronous MIPS R3000 Microprocessor},
+  booktitle =    {17th Conference on Advanced Research in VLSI (ARVLSI '97}},
+  month =        sep,
+  year =         {1997},
+  publisher =    {IEEE Computer Society},
+  pages =        {164-181},
+}
+
+@InProceedings{BallEtAll:ScalableChecking,
+  author =       {Thomas Ball and Brian Hackett and Shuvendu K. Lahiri
+                  and Shaz Qadeer and Julien Vanegue},
+  title =        {Towards Scalable Modular Checking of User-Defined Properties},
+  booktitle =    {Verified Software: Theories, Tools, Experiments,
+                  (VSTTE 2010)},
+  editor =       {Gary T. Leavens and Peter O'Hearn and Sriram K. Rajamani},
+  volume =       {6217},
+  series =       lncs,
+  publisher =    {Springer},
+  month =        aug,
+  year =         {2010},
+  pages =        {1-24},
+}
+
+@InProceedings{RegisGianasPottier:FunctionalHoare,
+  author =       {Yann R{\'e}gis-Gianas and Fran{\,c}ois Pottier},
+  title =        {A {H}oare Logic for Call-by-Value Functional Programs},
+  booktitle =    {Mathematics of Program Construction, 9th International Conference, MPC 2008},
+  pages =        {305-335},
+  year =         {2008},
+  editor =       {Philippe Audebaud and Christine Paulin-Mohring},
+  volume =       {5133},
+  series =       lncs,
+  month =        jul,
+  publisher =    {Springer},
+}
+
+@InProceedings{VeanesEtAl:SpecExplorer,
+  author =       {Margus Veanes and Colin Campbell and Wolfgang
+                  Grieskamp and Wolfram Schulte and Nikolai Tillmann
+                  and Lev Nachmanson},
+  title =        {Model-Based Testing of Object-Oriented Reactive
+                  Systems with {Spec} {Explorer}},
+  booktitle =    {Formal Methods and Testing},
+  pages =        {39-76},
+  year =         {2008},
+  editor =       {Robert M. Hierons and Jonathan P. Bowen and Mark Harman},
+  volume =       {4949},
+  series =       lncs,
+  publisher =    {Springer},
+}
+
+@book{Dijkstra:Discipline,
+  author = "Edsger W. Dijkstra",
+  title = "A Discipline of Programming",
+  publisher = "Prentice Hall",
+  address = "Englewood Cliffs, NJ",
+  year = 1976
+}
+
+@InProceedings{LeinoMueller:ESOP2009,
+  author =    {K. Rustan M. Leino and Peter M{\"u}ller},
+  title =     {A Basis for Verifying Multi-threaded Programs},
+  booktitle = {Programming Languages and Systems, 18th European
+                  Symposium on Programming, ESOP 2009},
+  editor =    {Giuseppe Castagna},
+  volume =    {5502},
+  series =    lncs,
+  publisher = {Springer},
+  month =     mar,
+  year =      2009,
+  pages =     {378-393},
+}
+
+@InProceedings{LeinoRuemmer:Boogie2,
+  author =       {K. Rustan M. Leino and Philipp R{\"u}mmer},
+  title =        {A Polymorphic Intermediate Verification Language:
+                  Design and Logical Encoding},
+  booktitle =    {Tools and Algorithms for the Construction and
+                  Analysis of Systems, 16th International Conference,
+                  TACAS 2010},
+  editor =       {Javier Esparza and Rupak Majumdar},
+  series =       lncs,
+  volume =       6015,
+  publisher =    {Springer},
+  month =        mar,
+  year =         2010,
+  pages =        {312-327},
+}
+
+@book{LiskovGuttag:book,
+  author = "Barbara Liskov and John Guttag",
+  title = "Abstraction and Specification in Program Development",
+  publisher = "MIT Press",
+  series = "MIT Electrical Engineering and Computer Science Series",
+  year = 1986
+}
+
+@TechReport{DahlEtAl:Simula67,
+  author =       {Ole-Johan Dahl and Bj{\o}rn Myhrhaug and Kristen Nygaard},
+  title =        {Common Base Language},
+  institution =  {Norwegian Computing Center},
+  type =         {Publication},
+  number =       {S-22},
+  month =        oct,
+  year =         1970,
+}
+
+@inproceedings{LeinoMueller:ModelFields,
+  author    = {K. Rustan M. Leino and
+               Peter M{\"u}ller},
+  title     = {A Verification Methodology for Model Fields},
+  booktitle = "Programming Languages and Systems, 15th European Symposium on Programming, ESOP 2006",
+  editor = "Peter Sestoft",
+  series = lncs,
+  volume = 3924,
+  publisher = "Springer",
+  month = mar,
+  year = 2006,
+  pages = {115-130},
+}
+
+@InProceedings{CarterEtAl:UsingPerfectDeveloper,
+  author =       {Gareth Carter and Rosemary Monahan and Joseph M. Morris},
+  title =        {Software Refinement with {P}erfect {D}eveloper},
+  booktitle =    {Third IEEE International Conference on Software
+                  Engineering and Formal Methods (SEFM 2005)},
+  pages =        {363-373},
+  editor =       {Bernhard K. Aichernig and Bernhard Beckert},
+  month =        sep,
+  year =         {2005},
+  publisher =    {IEEE Computer Society},
+}
+
+@InProceedings{Abrial:SchorrWaite,
+  author =       {Jean-Raymond Abrial},
+  title =        {Event Based Sequential Program Development:
+                  Application to Constructing a Pointer Program},
+  booktitle =    {FME 2003: Formal Methods, International Symposium of
+                  Formal Methods Europe},
+  editor =       {Keijiro Araki and Stefania Gnesi and Dino Mandrioli},
+  volume =       {2805},
+  series =       lncs,
+  publisher =    {Springer},
+  month =        sep,
+  year =         {2003},
+  pages =        {51-74},
+}
+
+@article{Barnett-etal04,
+  author    = {Mike Barnett and Robert DeLine and Manuel F{\"a}hndrich and
+               K. Rustan M. Leino and Wolfram Schulte},
+  title     = {Verification of Object-Oriented Programs with Invariants},
+  journal   = {Journal of Object Technology},
+  volume    = 3,
+  number    = 6,
+  year      = 2004,
+  pages     = {27-56},
+}
+
+@InProceedings{SmansEtAl:ImplicitDynamicFrames,
+  author = 	 {Jan Smans and Bart Jacobs and Frank Piessens},
+  title = 	 {Implicit Dynamic Frames: Combining Dynamic Frames
+                  and Separation Logic},
+  booktitle =	 {ECOOP 2009 --- Object-Oriented Programming, 23rd
+                  European Conference},
+  editor =	 {Sophia Drossopoulou},
+  volume =	 {5653},
+  series =	 lncs,
+  publisher =	 {Springer},
+  month =	 jul,
+  year =	 {2009},
+  pages =	 {148-172},
+}
+
+@inproceedings{GriesPrins:Encapsulation,
+  author = "David Gries and Jan Prins",
+  title = "A New Notion of Encapsulation",
+  booktitle = "Proceedings of the {ACM} {SIGPLAN} 85
+               Symposium on Language Issues in Programming Environments",
+  publisher = "ACM",
+  series = "SIGPLAN Notices 20",
+  number = 7,
+  month = jul,
+  year = 1985,
+  pages = "131-139"
+}
+
+@InProceedings{YangHawblitzel:Verve,
+  author =       {Jean Yang and Chris Hawblitzel},
+  title =        {Safe to the last instruction: automated verification of a type-safe operating system},
+  booktitle =    {Proceedings of the 2010 ACM SIGPLAN Conference on
+                  Programming Language Design and Implementation, PLDI
+                  2010},
+  editor =       {Benjamin G. Zorn and Alexander Aiken},
+  month =        jun,
+  year =         {2010},
+  publisher =    {ACM},
+  pages =        {99-110},
+}
+
+@Book{BoyerMoore:book,
+  author =       {Robert S. Boyer and J Strother Moore},
+  title =        {A Computational Logic},
+  publisher =    {Academic Press},
+  series =       {ACM Monograph Series},
+  year =         {1979},
+}
+
+@article{HoareWirth:Pascal,
+  author = "C. A. R. Hoare and N. Wirth",
+  title = "An axiomatic definition of the programming language {PASCAL}",
+  journal = acta,
+  volume = 2,
+  number = 4,
+  year = 1973,
+  pages = "335-355"
+}
+
+@article{Hoare:AxiomaticBasis,
+  author    = "C. A. R. Hoare",
+  title     = "An axiomatic basis for computer programming",
+  journal   = cacm,
+  volume    = 12,
+  number    = 10,
+  year      = 1969,
+  month     = oct,
+  pages     = "576--580,583"
+}
+
+@InProceedings{LeinoMoskal:vacid0-notYetConfirmed,
+  author =       {K. Rustan M. Leino and Micha{\l} Moskal},
+  title =        {{VACID-0}: {V}erification of {A}mple {C}orrectness
+                  of {I}nvariants of {D}ata-structures, Edition 0},
+  booktitle =    {VS-Tools & Experiments},
+  year =         2010,
+  editor =       {Rajeev Joshi and Tiziana Margaria and Peter
+                  M{\"u}ller and David Naumann and Hongseok Yang},
+  series =       {VSTTE 2010 Workshop Proceedings},
+  publisher =    {ETH Zurich Technical Report 676},
+  month =        aug,
+}
+
+@InCollection{Chalice:tutorial,
+  author =    {K. Rustan M. Leino and Peter M{\"u}ller and Jan Smans},
+  title =     {Verification of Concurrent Programs with {C}halice},
+  booktitle = {Foundations of Security Analysis and Design {V}: {FOSAD} 2007/2008/2009 Tutorial Lectures},
+  editor =    {Alessandro Aldini and Gilles Barthe and Roberto Gorrieri},
+  volume =    {5705},
+  series =    lncs,
+  publisher = {Springer},
+  year =      {2009},
+  pages =     {195-222}
+}
+
+@inproceedings{LeinoMuellerSmans10,
+  author =    {K. Rustan M. Leino and Peter M{\"u}ller and Jan Smans},
+  title =     {Deadlock-Free Channels and Locks},
+  booktitle = {Programming Languages and Systems, 19th European Symposium on Programming, ESOP 2010},
+  editor =    {Andrew D. Gordon},
+  volume =    {6012},
+  series =    lncs,
+  publisher = {Springer},
+  month =     mar,
+  year =      {2010},
+  pages =     {407-426}
+}
+
+@Book{BundyEtAl:Rippling,
+  author =    {Alan Bundy and David Basin and Dieter Hutter and Andrew Ireland},
+  title =     {Rippling: Meta-level Guidance for Mathematical Reasoning},
+  publisher = {Cambridge University Press},
+  volume =    {56},
+  series =    {Cambridge Tracts in Theoretical Computer Science},
+  year =      {2005},
+}
+
+@book{Gries:Science,
+  author = "David Gries",
+  title = "The Science of Programming",
+  publisher = "Springer-Verlag",
+  series = "Texts and Monographs in Computer Science",
+  year = 1981
+}
+
+@Book{DijkstraFeijen:Book,
+  author = "Edsger W. Dijkstra and W. H. J. Feijen",
+  title = "A Method of Programming",
+  publisher = "Addison-Wesley",
+  month = jul,
+  year = 1988,
+}
+
+@book{Kaldewaij:Programming,
+  author    = "Anne Kaldewaij",
+  title     = "Programming: The Derivation of Algorithms",
+  publisher = "Prentice-Hall International",
+  year      = 1990,
+  series    = "Series in Computer Science",
+}
+
+@InProceedings{LeinoMonahan:VSTTE2010,
+  author =       {K. Rustan M. Leino and Rosemary Monahan},
+  title =        {Dafny Meets the Verification Benchmarks Challenge},
+  booktitle =    {Verified Software: Theories, Tools, Experiments,
+                  Third International Conference, VSTTE 2010},
+  pages =        {112-126},
+  year =         {2010},
+  editor =       {Gary T. Leavens and Peter W. O'Hearn and Sriram K. Rajamani},
+  volume =       {6217},
+  series =       lncs,
+  month =        aug,
+  publisher =    {Springer},
+}
+
+@InProceedings{VSComp2010:report,
+  author =       {Vladimir Klebanov and Peter M{\"u}ller and Natarajan Shankar and
+                  Gary T. Leavens and Valentin W{\"u}stholz and Eyad Alkassar and
+                  Rob Arthan and Derek Bronish and Rod Chapman and Ernie Cohen and
+                  Mark Hillebrand and Bart Jacobs and K. Rustan M. Leino and
+                  Rosemary Monahan and Frank Piessens and Nadia Polikarpova and
+                  Tom Ridge and Jan Smans and Stephan Tobies and Thomas Tuerk and
+                  Mattias Ulbrich and Benjamin Wei{\ss}},
+  title =        {The 1st Verified Software Competition: Experience Report},
+  booktitle =    {FM 2011: Formal Methods --- 17th International
+                  Symposium on Formal Methods},
+  pages =        {154-168},
+  year =         {2011},
+  editor =       {Michael Butler and Wolfram Schulte},
+  volume =       {6664},
+  series =       lncs,
+  month =        jun,
+  publisher =    {Springer},
+}
+
+@InProceedings{Leino:Dafny:LPAR16,
+  author =       {K. Rustan M. Leino},
+  title =        {Dafny: An Automatic Program Verifier for Functional Correctness},
+  booktitle =    {LPAR-16},
+  year =         {2010},
+  volume =       {6355},
+  series =       lncs,
+  publisher =    {Springer},
+  month =        apr,
+  editor =       {Edmund M. Clarke and Andrei Voronkov},
+  pages =        {348-370},
+}
+
+@book{BackVonWright:Book,
+  author = "Ralph-Johan Back and von Wright, Joakim",
+  title = "Refinement Calculus: A Systematic Introduction",
+  series = "Graduate Texts in Computer Science",
+  publisher = "Springer-Verlag",
+  year = 1998
+}
+
+@Article{BalzerCheathamGreen:1990s,
+  author = 	 {Robert Balzer and {Cheatham, Jr.}, Thomas E. and Cordell Green},
+  title = 	 {Software Technology in the 1990's: Using a New Paradigm},
+  journal = 	 {IEEE Computer},
+  year = 	 {1983},
+  volume =	 {16},
+  number =	 {11},
+  pages =	 {39-45 },
+  month =	 nov,
+}
+
+@InProceedings{Zloof:QBE,
+  author = 	 {Mosh{\'e} M. Zloof},
+  title = 	 {Query by Example},
+  booktitle =	 {American Federation of Information Processing
+                  Societies: 1975 National Computer Conference},
+  pages =	 {431-438},
+  year =	 {1975},
+  month =	 may,
+  publisher =	 {AFIPS Press },
+}
+
+@InProceedings{HarrisGulwani:PLDI2011,
+  author = 	 {William R. Harris and Sumit Gulwani},
+  title = 	 {Spreadsheet table transformations from examples},
+  booktitle =	 {Proceedings of the 32nd ACM SIGPLAN Conference on
+                  Programming Language Design and Implementation, PLDI
+                  2011},
+  pages =	 {317-328},
+  year =	 {2011},
+  editor =	 {Mary W. Hall and David A. Padua},
+  month =	 jun,
+  publisher =	 {ACM},
+}
+
+@Article{Smith:KIDS-overview,
+  author = "Douglas R. Smith",
+  title = "{KIDS}: A Semi-Automatic Program Development System",
+  journal = {IEEE Transactions on Software Engineering },
+  volume = 16,
+  number = 9,
+  month = sep,
+  year = 1990,
+  pages = "1024-1043",
+}
+
+@Article{RodinToolset,
+  author =       {Jean-Raymond Abrial and Michael Butler and Stefan
+                  Hallerstede and Thai Son Hoang and Farhad Mehta and
+                  Laurent Voisin},
+  title =        {Rodin: An Open Toolset for Modelling and Reasoning in {Event-B}},
+  journal =      {International Journal on Software Tools for Technology Transfer},
+  year =         {2010},
+  month =        apr,
+}
+
+@Article{Summers:LISP-from-examples,
+  author = 	 {Phillip D. Summers},
+  title = 	 {A Methodology for {LISP} Program Construction from Examples},
+  journal = 	 jacm,
+  year = 	 {1977},
+  volume =	 {24},
+  number =	 {1},
+  pages =	 {161-175},
+  month =	 jan,
+}
+
+@InProceedings{Pex:overview,
+  author = 	 {Nikolai Tillmann and de Halleux, Jonathan},
+  title = 	 {Pex---White Box Test Generation for {.NET}},
+  booktitle =	 {Tests and Proofs, Second International Conference, TAP 2008},
+  pages =	 {134-153},
+  year =	 {2008},
+  editor =	 {Bernhard Beckert and Reiner H{\"a}hnle},
+  series =	 lncs,
+  volume =	 {4966},
+  month =	 apr,
+  publisher =	 {Springer},
+}
+
+@InProceedings{GodefroidKlarlundSen:DART,
+  author = 	 {Patrice Godefroid and Nils Klarlund and Koushik Sen},
+  title = 	 {{DART}: directed automated random testing},
+  booktitle =	 {Proceedings of the ACM SIGPLAN 2005 Conference on
+                  Programming Language Design and Implementation},
+  pages =	 {213-223},
+  year =	 {2005},
+  editor =	 {Vivek Sarkar and Mary W. Hall},
+  month =	 jun,
+  publisher =	 {ACM},
+}
+
+@PhdThesis{Monahan:thesis,
+  author = 	 {Rosemary Monahan},
+  title = 	 {Data Refinement in Object-Oriented Verification},
+  school = 	 {Dublin City University},
+  year = 	 {2010},
+}
+
+@InProceedings{Denali:pldi2002,
+  author = 	 {Rajeev Joshi and Greg Nelson and Keith H. Randall},
+  title = 	 {Denali: A Goal-directed Superoptimizer},
+  booktitle =	 {Proceedings of the 2002 ACM SIGPLAN Conference on
+                  Programming Language Design and Implementation
+                  (PLDI)},
+  pages =	 {304-314},
+  year =	 {2002},
+  month =	 jun,
+  publisher =	 {ACM},
+}
+@Book{SETL,
+  author =       {J. T. Schwartz and R. B. K. Dewar and E. Dubinsky and E. Schonberg},
+  title =        {Programming with Sets: An Introduction to {SETL}},
+  series =       {Texts and Monographs in Computer Science},
+  publisher =    {Springer},
+  year =         {1986},
+}
+
+@InProceedings{KuncakEtAl:PLDI2010,
+  author = 	 {Viktor Kuncak and Mika{\"e}l Mayer and Ruzica Piskac
+                  and Philippe Suter},
+  title = 	 {Complete functional synthesis},
+  booktitle =	 {Proceedings of the 2010 ACM SIGPLAN Conference on
+                  Programming Language Design and Implementation, PLDI
+                  2010},
+  pages =	 {316-329},
+  year =	 {2010},
+  editor =	 {Benjamin G. Zorn and Alexander Aiken},
+  month =	 jun,
+  publisher =	 {ACM},
+}
+
+@Article{JML:ToolSuite:STTT,
+  author = 	 {Lilian Burdy and Yoonsik Cheon and David R. Cok and
+                   Michael D. Ernst and Joeseph R. Kiniry and Gary T. Leavens and
+                   K. Rustan M. Leino and Erik Poll},
+  title = 	 {An overview of {JML} tools and applications},
+  journal = 	 {International Journal on Software Tools
+                  for Technology Transfer},
+  volume =       7,
+  number =       3,
+  publisher =    {Springer},
+  month =        jun,
+  year = 	 2005,
+  pages =        {212-232},
+}
+
+@InProceedings{Green:ProblemSolving,
+  author =       {Cordell Green},
+  title =        {Application of Theorem Proving to Problem Solving},
+  booktitle =    {Proceedings of the 1st International Joint Conference on Artificial Intelligence},
+  editor =       {Donald E. Walker and Lewis M. Norton},
+  pages =        {219-240},
+  year =         {1969},
+  month =        may,
+  publisher =    {William Kaufmann},
+}
+
+@Article{MannaWaldinger:CACM1971,
+  author =       {Zohar Manna and Richard J. Waldinger},
+  title =        {Towards automatic program synthesis},
+  journal =      cacm,
+  year =         {1971},
+  volume =       {14},
+  number =       {3},
+  pages =        {151-165},
+  month =        mar,
+}
+
+@Article{RichWaters:ProgAppren,
+  author =       {Charles Rich and Richard C. Waters},
+  title =        {The {P}rogrammer's {A}pprentice: A Research Overview},
+  journal =      {IEEE Computer},
+  year =         {1988},
+  volume =       {21},
+  number =       {11},
+  pages =        {10-25},
+  month =        nov,
+}
+
+@InProceedings{Green:PSI,
+  author =       {Cordell Green},
+  title =        {The Design of the {PSI} Program Synthesis System},
+  booktitle =    {Proceedings of the 2nd International Conference on Software Engineering},
+  pages =        {4-18},
+  year =         {1976},
+  month =        oct,
+  publisher =    {IEEE Computer Society},
+}
+
+@Article{SpecSharp:Retrospective:CACM,
+  author = 	 {Mike Barnett and Manuel F{\"a}hndrich and
+                  K. Rustan M. Leino and Peter M{\"u}ller and
+                  Wolfram Schulte and Herman Venter},
+  title = 	 {Specification and Verification: The {Spec\#} Experience},
+  journal = 	 cacm,
+  volume =	 {54},
+  number =	 {6},
+  pages =	 {81-91},
+  month =	 jun,
+  year = 	 2011,
+}
+
+@article{Filipovic:SepLogicRefinement,
+  author = {Ivana Filipovi{\'c} and Peter O'Hearn and
+            Noah Torp-Smith and Hongseok Yang},
+  title     = {Blaming the client: on data refinement in the presence of pointers},
+  journal   = {Formal Aspects of Computing},
+  volume    = {22},
+  number    = {5},
+  month     = sep,
+  year      = {2010},
+  pages     = {547-583},
+}
+
+@inproceedings{Grandy:JavaRefinement,
+  author = {Grandy, Holger and Stenzel, Kurt and Reif, Wolfgang},
+  title = {A refinement method for {J}ava programs},
+  booktitle = {Formal Methods for Open Object-Based Distributed Systems, 9th IFIP WG 6.1 International Conference, FMOODS 2007},
+  editor = {Marcello M. Bonsangue and Einar Broch Johnsen},
+  series = lncs,
+  number = {4468},
+  month = jun,
+  year = {2007},
+  publisher = {Springer},
+  pages = {221--235},
+}
+
+@InCollection{KoenigLeino:MOD2011,
+  author =    {Jason Koenig and K. Rustan M. Leino},
+  title =     {Getting Started with {D}afny: A Guide},
+  booktitle = {Software Safety and Security:  Tools for Analysis and Verification},
+  pages =     {152-181},
+  publisher = {IOS Press},
+  year =      {2012},
+  editor =    {Tobias Nipkow and Orna Grumberg and Benedikt Hauptmann},
+  volume =    {33},
+  series =    {NATO Science for Peace and Security Series D: Information and Communication Security},
+  note =      {Summer School Marktoberdorf 2011 lecture notes},
+}
+
+@InProceedings{VonWright:ExtendingWindowInference,
+  author = 	 {von Wright, Joakim},
+  title = 	 {Extending Window Inference},
+  booktitle =	 {Theorem Proving in Higher Order Logics, 11th International Conference, TPHOLs'98},
+  pages =	 {17-32},
+  year =	 {1998},
+  editor =	 {Jim Grundy and Malcolm C. Newey},
+  volume =	 {1479},
+  series =	 lncs,
+  publisher =	 {Springer},
+}
+
+@InProceedings{BauerWenzel:IsarExperience,
+  author = 	 {Gertrud Bauer and Markus Wenzel},
+  title = 	 {Calculational reasoning revisited: an {I}sabelle/{I}sar experience},
+  booktitle =	 {Theorem Proving in Higher Order Logics, 14th International Conference, TPHOLs 2001},
+  pages =	 {75-90},
+  year =	 {2001},
+  editor =	 {Richard J. Boulton and Paul B. Jackson},
+  volume =	 {2152},
+  series =	 lncs,
+  month =	 sep,
+  publisher =	 {Springer},
+}
+
+@InProceedings{Leino:induction,
+  author = 	 {K. Rustan M. Leino},
+  title = 	 {Automating Induction with an {SMT} Solver},
+  booktitle =	 {Verification, Model Checking, and Abstract Interpretation --- 13th International Conference, VMCAI 2012},
+  pages =	 {315-331},
+  year =	 {2012},
+  editor =	 {Viktor Kuncak and Andrey Rybalchenko},
+  volume =	 {7148},
+  series =	 lncs,
+  month =	 jan,
+  publisher =	 {Springer},
+}
+
+@InProceedings{LGLM:BVD,
+  author = 	 {Le Goues, Claire and K. Rustan M. Leino and Micha{\l} Moskal},
+  title = 	 {The {B}oogie {V}erification {D}ebugger (Tool Paper)},
+  booktitle =	 {Software Engineering and Formal Methods --- 9th International Conference, SEFM 2011},
+  pages =	 {407-414},
+  year =	 {2011},
+  editor =	 {Gilles Barthe and Alberto Pardo and Gerardo Schneider},
+  volume =	 {7041},
+  series =	 lncs,
+  month =	 nov,
+  publisher =	 {Springer},
+}
+
+@InProceedings{Filliatre:2lines,
+  author = 	 {Jean-Christophe Filli{\^a}tre},
+  title = 	 {Verifying two lines of {C} with {Why3}: an exercise in
+                  program verification},
+  booktitle =	 {Verified Software: Theories, Tools, Experiments ---
+                  4th International Conference, VSTTE 2012},
+  pages =	 {83-97},
+  year =	 {2012},
+  editor =	 {Rajeev Joshi and Peter M{\"u}ller and Andreas Podelski},
+  volume =	 {7152},
+  series =	 lncs,
+  month =	 jan,
+  publisher =	 {Springer},
+}
+
+@InCollection{LeinoMoskal:UsableProgramVerification,
+  author = 	 {K. Rustan M. Leino and Micha{\l} Moskal},
+  title = 	 {Usable Auto-Active Verification},
+  booktitle = 	 {UV10 (Usable Verification) workshop},
+  year =	 {2010},
+  editor =	 {Tom Ball and Lenore Zuck and N. Shankar},
+  month =	 nov,
+  publisher =	 {\url{http://fm.csl.sri.com/UV10/}},
+}
+
+@InProceedings{LeinoMonahan:Comprehensions,
+  author =    {K. Rustan M. Leino and Rosemary Monahan},
+  title =     {Reasoning about Comprehensions with First-Order {SMT} Solvers},
+  booktitle = {Proceedings of the 2009 ACM Symposium on Applied Computing (SAC)},
+  editor =    {Sung Y. Shin and Sascha Ossowski},
+  publisher = {ACM},
+  month =     mar,
+  year =      2009,
+  pages =     {615-622},
+}
+
+@TechReport{VeriFast:TR,
+  author =       {Bart Jacobs and Frank Piessens},
+  title =        {The {VeriFast} program verifier},
+  institution =  {Department of Computer Science, Katholieke Universiteit Leuven},
+  year =         {2008},
+  number =       {CW-520},
+  month =        aug,
+}
+
+@book{DijkstraScholten:book,
+  author = "Edsger W. Dijkstra and Carel S. Scholten",
+  title = "Predicate Calculus and Program Semantics",
+  publisher = "Springer-Verlag",
+  series = "Texts and Monographs in Computer Science",
+  year = 1990
+}
+
+@Book{KeY:book,
+   author    = {Bernhard Beckert and Reiner H{\"a}hnle and Peter H. Schmitt},
+   title     = {Verification of Object-Oriented Software: The {KeY} Approach},
+   volume    = 4334,
+   series    = lnai,
+   publisher = {Springer},
+   year      = 2007,
+}
+
+@Book{Coq:book,
+  author =	 {Yves Bertot and Pierre Cast{\'e}ran},
+  title = 	 {Interactive Theorem Proving and Program Development --- {C}oq'{A}rt: The Calculus of Inductive Constructions},
+  publisher = 	 {Springer},
+  year = 	 {2004},
+  series =	 {Texts in Theoretical Computer Science},
+}
+
+@Book{ACL2:book,
+  author =	 {Matt Kaufmann and Panagiotis Manolios and J Strother Moore},
+  title = 	 {Computer-Aided Reasoning: An Approach},
+  publisher = 	 {Kluwer Academic Publishers},
+  year = 	 {2000},
+}
+
+@InProceedings{Coq:Coinduction,
+  author = 	 {Eduardo Gim{\'e}nez},
+  title = 	 {An Application of Co-inductive Types in {Coq}: Verification of the Alternating Bit Protocol},
+  booktitle =    {Types for Proofs and Programs, International Workshop TYPES'95},
+  pages =	 {135-152},
+  year =	 {1996},
+  editor =	 {Stefano Berardi and Mario Coppo},
+  volume =	 1158,
+  series =	 lncs,
+  publisher =	 {Springer},
+}
+
+@InCollection{JacobsRutten:IntroductionCoalgebra,
+  author = 	 {Bart Jacobs and Jan Rutten},
+  title = 	 {An Introduction to (Co)Algebra and (Co)Induction},
+  booktitle = 	 {Advanced Topics in Bisimulation and Coinduction},
+  editor =	 {Davide Sangiorgi and Jan Rutten},
+  series =	 {Cambridge Tracts in Theoretical Computer Science},
+  number =	 {52},
+  publisher =	 {Cambridge University Press},
+  month =	 oct,
+  year =	 {2011},
+  pages =	 {38-99},
+}
+
+@InProceedings{SonnexEtAl:Zeno,
+  author = 	 {William Sonnex and Sophia Drossopoulou and Susan Eisenbach},
+  title = 	 {Zeno: An Automated Prover for Properties of Recursive
+                  Data Structures},
+  booktitle =	 {Tools and Algorithms for the Construction and Analysis of
+                  Systems --- 18th International Conference, TACAS 2012},
+  editor =	 {Cormac Flanagan and Barbara K{\"o}nig},
+  volume =	 {7214},
+  series =	 lncs,
+  year =	 {2012},
+  month =	 mar # "--" # apr,
+  publisher =	 {Springer},
+  pages =	 {407-421},
+}
+
+@InProceedings{JohanssonEtAl:IPT2010,
+  author = 	 {Moa Johansson and Lucas Dixon and Alan Bundy},
+  title = 	 {Case-Analysis for {R}ippling and Inductive Proof},
+  booktitle =	 {Interactive Theorem Proving, First International Conference, ITP 2010},
+  editor =	 {Matt Kaufmann and Lawrence C. Paulson},
+  volume =	 {6172},
+  series =	 lncs,
+  publisher =	 {Springer},
+  month =	 jul,
+  year =	 {2010},
+  pages =	 {291-306},
+}
+
+@Article{HatcliffEtAl:BISL,
+  author = 	 {John Hatcliff and Gary T. Leavens and
+                  K. Rustan M. Leino and Peter M{\"u}ller and Matthew Parkinson},
+  title = 	 {Behavioral interface specification languages},
+  journal = 	 {ACM Computing Surveys},
+  volume =	 {44},
+  number =	 {3},
+  note =	 {Article 16},
+  month =	 jun,
+  year = 	 {2012},
+}
+
+@InProceedings{BoehmeNipkow:Sledgehammer,
+  author = 	 {Sascha B{\"o}hme and Tobias Nipkow},
+  title = 	 {Sledgehammer: {J}udgement {D}ay},
+  booktitle =	 {Automated Reasoning, 5th International Joint Conference, IJCAR 2010},
+  editor =	 {J{\"u}rgen Giesl and Reiner H{\"a}hnle},
+  year =	 {2010},
+  pages =	 {107-121},
+  volume =	 {6173},
+  series =	 lncs,
+  month =	 jul,
+  publisher =	 {Springer},
+}
+
+@InProceedings{Dafny:LASER2011,
+  author = 	 {Luke Herbert and K. Rustan M. Leino and Jose Quaresma},
+  title = 	 {Using {Dafny}, an Automatic Program Verifier},
+  booktitle =	 {Tools for Practical Software Verification, {LASER}, International Summer School 2011},
+  editor =	 {Bertrand Meyer and Martin Nordio},
+  volume =	 {7682},
+  series =	 lncs,
+  year =	 {2012},
+  pages =	 {156-181},
+  publisher =	 {Springer},
+}
+
+@Article{Leroy:CompCert:CACM,
+  author = 	 {Xavier Leroy},
+  title = 	 {Formal verification of a realistic compiler},
+  journal = 	 cacm,
+  volume =	 {52},
+  number =	 {7},
+  year = 	 {2009},
+  pages =	 {107-115},
+}
+
+@InProceedings{Leino:ITP2013,
+  author = 	 {K. Rustan M. Leino},
+  title = 	 {Automating Theorem Proving with {SMT}},
+  booktitle =	 {Interactive Theorem Proving --- 4th International Conference, ITP 2013},
+  year =	 {2013},
+  editor =	 {Sandrine Blazy and Christine Paulin-Mohring and David Pichardie},
+  volume =	 {7998},
+  series =	 lncs,
+  pages =	 {2-16},
+  month =	 jul,
+  publisher =	 {Springer},
+}
+
+@techreport{Nelson:thesis,
+  author = "Charles Gregory Nelson",
+  title = "Techniques for Program Verification",
+  institution = "Xerox PARC",
+  month = jun,
+  year = 1981,
+  number = "CSL-81-10",
+  note = "The author's PhD thesis"
+}
+
+@InProceedings{LernerMillsteinChambers:VerifiedOptimizations,
+  author = 	 {Sorin Lerner and Todd Millstein and Craig Chambers},
+  title = 	 {Automatically proving the correctness of compiler optimizations},
+  booktitle =	 {Proceedings of the ACM SIGPLAN 2003 Conference on
+                  Programming Language Design and Implementation 2003},
+  year =	 {2003},
+  editor =	 {Ron Cytron and Rajiv Gupta},
+  pages =	 {220-231},
+  month =	 jun,
+  publisher =	 {ACM},
+}
+
+@InProceedings{BoyerHunt:ACL2,
+  author =       {Robert S. Boyer and Hunt, Jr., Warren A.},
+  title =        {Function Memoization and Unique Object Representation for {ACL2} Functions},
+  booktitle =    {Proceedings of the Sixth International Workshop on
+                  the ACL2 Theorem Prover and its Applications, ACL2 2006},
+  editor =       {Panagiotis Manolios and Matthew Wilding},
+  month =        aug,
+  year =         {2006},
+  pages =        {81--89},
+  publisher =    {ACM},
+}
+
+@inproceedings{LeinoWuestholz:DafnyIDE,
+  author    = {K. Rustan M. Leino and
+               Valentin W{\"{u}}stholz},
+  title     = {The {D}afny Integrated Development Environment},
+  booktitle = {Proceedings 1st Workshop on Formal Integrated Development Environment,
+               {F-IDE} 2014},
+  month     = apr,
+  year      = {2014},
+  pages     = {3--15},
+  editor    = {Catherine Dubois and
+               Dimitra Giannakopoulou and
+               Dominique M{\'{e}}ry},
+  series    = {{EPTCS}},
+  volume    = {149},
+}
+
+@inproceedings{BarnettLeino:Weakest,
+ author = {Mike Barnett and K. Rustan M. Leino},
+ title = {Weakest-precondition of unstructured programs},
+ booktitle = {Proceedings of the 2005 ACM SIGPLAN-SIGSOFT Workshop on
+                  Program Analysis For Software Tools and Engineering,
+                  PASTE'05},
+ editor = {Michael D. Ernst and Thomas P. Jensen},
+ month = sep,
+ year = {2005},
+ pages = {82-87},
+ publisher = {ACM},
+}
diff --git a/v4.10.0/DafnyRef/version.txt b/v4.10.0/DafnyRef/version.txt
new file mode 100644
index 0000000..71e19f5
--- /dev/null
+++ b/v4.10.0/DafnyRef/version.txt
@@ -0,0 +1 @@
+v4.10.0 release snapshot
diff --git a/v4.10.0/Gemfile b/v4.10.0/Gemfile
new file mode 100644
index 0000000..aff4e1d
--- /dev/null
+++ b/v4.10.0/Gemfile
@@ -0,0 +1,32 @@
+source "https://rubygems.org"
+# Hello! This is where you manage which Jekyll version is used to run.
+# When you want to use a different version, change it below, save the
+# file and run `bundle install`. Run Jekyll with `bundle exec`, like so:
+#
+#     bundle exec jekyll serve
+#
+# This will help ensure the proper Jekyll version is running.
+# Happy Jekylling!
+gem "jekyll", "~> 4.3.3"
+# This is the default theme for new Jekyll sites. You may change this to anything you like.
+gem "minima", "~> 2.5"
+# If you want to use GitHub Pages, remove the "gem "jekyll"" above and
+# uncomment the line below. To upgrade, run `bundle update github-pages`.
+# gem "github-pages", "~> 228", group: :jekyll_plugins
+# If you have any plugins, put them here!
+#group :jekyll_plugins do
+#  gem "jekyll-feed", "~> 0.12"
+#end
+
+gem 'jekyll-numbered-headings'
+gem "kramdown", ">= 2.3.1"
+
+# Windows and JRuby does not include zoneinfo files, so bundle the tzinfo-data gem
+# and associated library.
+platforms :mingw, :x64_mingw, :mswin, :jruby do
+  gem "tzinfo", "~> 2.0"
+  gem "tzinfo-data"
+end
+
+# Performance-booster for watching directories on Windows
+gem "wdm", "~> 0.1.1", :platforms => [:mingw, :x64_mingw, :mswin]
diff --git a/v4.10.0/Gemfile.lock b/v4.10.0/Gemfile.lock
new file mode 100644
index 0000000..0256d19
--- /dev/null
+++ b/v4.10.0/Gemfile.lock
@@ -0,0 +1,89 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.8.6)
+      public_suffix (>= 2.0.2, < 6.0)
+    colorator (1.1.0)
+    concurrent-ruby (1.2.2)
+    em-websocket (0.5.3)
+      eventmachine (>= 0.12.9)
+      http_parser.rb (~> 0)
+    eventmachine (1.2.7)
+    ffi (1.16.3)
+    forwardable-extended (2.6.0)
+    google-protobuf (3.25.5-arm64-darwin)
+    google-protobuf (3.25.5-x86_64-linux)
+    http_parser.rb (0.8.0)
+    i18n (1.14.1)
+      concurrent-ruby (~> 1.0)
+    jekyll (4.3.3)
+      addressable (~> 2.4)
+      colorator (~> 1.0)
+      em-websocket (~> 0.5)
+      i18n (~> 1.0)
+      jekyll-sass-converter (>= 2.0, < 4.0)
+      jekyll-watch (~> 2.0)
+      kramdown (~> 2.3, >= 2.3.1)
+      kramdown-parser-gfm (~> 1.0)
+      liquid (~> 4.0)
+      mercenary (>= 0.3.6, < 0.5)
+      pathutil (~> 0.9)
+      rouge (>= 3.0, < 5.0)
+      safe_yaml (~> 1.0)
+      terminal-table (>= 1.8, < 4.0)
+      webrick (~> 1.7)
+    jekyll-feed (0.17.0)
+      jekyll (>= 3.7, < 5.0)
+    jekyll-numbered-headings (0.1.1)
+    jekyll-sass-converter (3.0.0)
+      sass-embedded (~> 1.54)
+    jekyll-seo-tag (2.8.0)
+      jekyll (>= 3.8, < 5.0)
+    jekyll-watch (2.2.1)
+      listen (~> 3.0)
+    kramdown (2.4.0)
+      rexml
+    kramdown-parser-gfm (1.1.0)
+      kramdown (~> 2.0)
+    liquid (4.0.4)
+    listen (3.8.0)
+      rb-fsevent (~> 0.10, >= 0.10.3)
+      rb-inotify (~> 0.9, >= 0.9.10)
+    mercenary (0.4.0)
+    minima (2.5.1)
+      jekyll (>= 3.5, < 5.0)
+      jekyll-feed (~> 0.9)
+      jekyll-seo-tag (~> 2.1)
+    pathutil (0.16.2)
+      forwardable-extended (~> 2.6)
+    public_suffix (5.0.4)
+    rb-fsevent (0.11.2)
+    rb-inotify (0.10.1)
+      ffi (~> 1.0)
+    rexml (3.3.9)
+    rouge (4.2.0)
+    safe_yaml (1.0.5)
+    sass-embedded (1.69.7-arm64-darwin)
+      google-protobuf (~> 3.25)
+    sass-embedded (1.69.7-x86_64-linux-gnu)
+      google-protobuf (~> 3.25)
+    terminal-table (3.0.2)
+      unicode-display_width (>= 1.1.1, < 3)
+    unicode-display_width (2.5.0)
+    webrick (1.8.2)
+
+PLATFORMS
+  arm64-darwin-22
+  x86_64-linux
+
+DEPENDENCIES
+  jekyll (~> 4.3.3)
+  jekyll-numbered-headings
+  kramdown (>= 2.3.1)
+  minima (~> 2.5)
+  tzinfo (~> 2.0)
+  tzinfo-data
+  wdm (~> 0.1.1)
+
+BUNDLED WITH
+   2.3.26
diff --git a/v4.10.0/HowToFAQ/.gitignore b/v4.10.0/HowToFAQ/.gitignore
new file mode 100644
index 0000000..65d2e6e
--- /dev/null
+++ b/v4.10.0/HowToFAQ/.gitignore
@@ -0,0 +1,2 @@
+text.dfy
+*.tmp
diff --git a/v4.10.0/HowToFAQ/ERROR_CloseParen.dfy b/v4.10.0/HowToFAQ/ERROR_CloseParen.dfy
new file mode 100644
index 0000000..a7a8b1d
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_CloseParen.dfy
@@ -0,0 +1 @@
+method test(int i) {}
diff --git a/v4.10.0/HowToFAQ/ERROR_CloseParen.md b/v4.10.0/HowToFAQ/ERROR_CloseParen.md
new file mode 100644
index 0000000..1942dd1
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_CloseParen.md
@@ -0,0 +1,22 @@
+---
+title: "Error: closeparen expected"
+---
+
+## Question
+
+What causes the error "Error: closeparen expected" as in
+
+```dafny
+{% include_relative ERROR_CloseParen.dfy %}
+```
+producing
+```text
+{% include_relative ERROR_CloseParen.txt %}
+```
+
+## Answer
+
+You are writing a Java/C parameter declaration. In Dafny, parameter declarations have the form `name: type`, so
+```dafny
+method test(i: int) { ... }
+```
diff --git a/v4.10.0/HowToFAQ/ERROR_CloseParen.txt b/v4.10.0/HowToFAQ/ERROR_CloseParen.txt
new file mode 100644
index 0000000..7de4aac
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_CloseParen.txt
@@ -0,0 +1,2 @@
+ERROR_CloseParen.dfy(1,12): Error: closeparen expected
+1 parse errors detected in ERROR_CloseParen.dfy
diff --git a/v4.10.0/HowToFAQ/ERROR_Covariance.dfy b/v4.10.0/HowToFAQ/ERROR_Covariance.dfy
new file mode 100644
index 0000000..7c7d9ca
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_Covariance.dfy
@@ -0,0 +1,24 @@
+type neg = r : real | r <= 0.0
+
+datatype formula<T> = 
+   | Var(z: T)
+   | Plus(x: formula<T>, y: formula<T>) 
+   | Minus(x: formula<T>, y: formula<T>) 
+   | Mult(x: formula<T>, y: formula<T>)
+   | Divide(x: formula<T>, y: formula<T>)
+
+function method toReal(x: formula<real>) : real
+{
+   match x
+   case Var(z) => z
+   case Plus(y, z) => toReal(y) + toReal(z)
+   case Minus(y, z) => toReal(y) - toReal(z)
+   case Mult(y, z) => toReal(y) * toReal(z)
+   case Divide(y, z) => 
+      if toReal(z) == 0.0 then 42.0 else 43.0
+}
+
+datatype ChildLineItem = ChildLineItem(negChargeAmount: formula<neg>)
+
+predicate isValidChildLineItem(l: ChildLineItem) 
+{ toReal(l.negChargeAmount) <= 0.0 }
diff --git a/v4.10.0/HowToFAQ/ERROR_Covariance.md b/v4.10.0/HowToFAQ/ERROR_Covariance.md
new file mode 100644
index 0000000..e5021ae
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_Covariance.md
@@ -0,0 +1,32 @@
+---
+title: "Error: value does not satisfy subset constraints of T"
+---
+
+The error "value does not satisfy subset constraints of T"
+for some type name `T` arises when a value is trying to be converted to a subset type `T`,
+and the value cannot be proved to satisfy the predicate that defines the subset type.
+
+This is pretty clear when one is trying to assign, say an `int` to a `nat`, but is more complex when using generic types.
+
+This example
+```dafny
+{% include_relative ERROR_Covariance.dfy %}
+```
+produces
+```text
+{% include_relative ERROR_Covariance.txt %}
+```
+
+The problem is that the code is trying to convert a `formula<neg>` to a `formula<real>`.
+While a `neg` is a subtype of `real`, that does not imply a subtype relationship between
+`formula<neg>` and `formula<real>`.
+That relationship must be declared in the definition of `formula`.
+By default, the definition of a generic type is _non-variant_, meaning there is no
+subtype relationship between `formula<T>` and `formula<U>` when `T` is a subtype of `U`.
+What is wanted here is for `formula` to be _covariant_, so that
+`formula<T>` is a subtype of `formula<U>` when `T` is a subtype of `U`.
+For that, use the declaration `formula<+T>`.
+
+To declare `formula` as _contravariant_ use `formula<-T>`. Then `formula<U>` is a subtype of `formula<T>` when `T` is a subtype of `U`.
+
+Type parameter characteristics are discussed in [the reference manual](../DafnyRef/DafnyRef.html#sec-type-parameter-variance)
diff --git a/v4.10.0/HowToFAQ/ERROR_Covariance.txt b/v4.10.0/HowToFAQ/ERROR_Covariance.txt
new file mode 100644
index 0000000..d94830e
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_Covariance.txt
@@ -0,0 +1,3 @@
+ERROR_Covariance.dfy(24,11): Error: value does not satisfy the subset constraints of 'formula<real>'
+
+Dafny program verifier finished with 2 verified, 1 error
diff --git a/v4.10.0/HowToFAQ/ERROR_DataTypeName.md b/v4.10.0/HowToFAQ/ERROR_DataTypeName.md
new file mode 100644
index 0000000..6adda2c
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_DataTypeName.md
@@ -0,0 +1,25 @@
+---
+title: "Error: name of datatype (String) is used as a function?"
+---
+
+How do I fix this error message: "name of datatype (String) is used as a function"?
+
+```dafny
+module MString {
+  export provides String
+  datatype String = String(s: string)
+}
+module MX {
+  import opened MString
+  const S := String("asd")
+}
+```
+
+The names visible in module `MX` are the datatype `String` but not its constructor, since 
+the dataype is only imported as `provides`.
+Consequently, the only option for the name `String` in module `MX` is that datatype, 
+which then causes the error message.
+
+The fix to this is to declare the export as `export reveals String`.
+If `String` is meant to be opaque (only provided) then you cannot construct elements of it; 
+if it is meant to be transparent, then you must reveal it.
diff --git a/v4.10.0/HowToFAQ/ERROR_DuplicateImportName.md b/v4.10.0/HowToFAQ/ERROR_DuplicateImportName.md
new file mode 100644
index 0000000..14b47de
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_DuplicateImportName.md
@@ -0,0 +1,17 @@
+---
+title: "Duplicate name of import: ..."
+---
+
+This error results from importing two modules with the same name. For example
+```dafny
+import A.Util
+import B.util
+```
+In this case, the default name given to the two imports is the same: `Util`.
+To give them different names, use the longer form of the import statement
+```dafny
+import A.Util
+import BU = B.Util;
+```
+Now a name `N` from `A.Util` can  be referred to as `Util.N` and
+a name `N` from `B.Util` can be referred to as `BU.N`.
diff --git a/v4.10.0/HowToFAQ/ERROR_FunctionPrecondition.md b/v4.10.0/HowToFAQ/ERROR_FunctionPrecondition.md
new file mode 100644
index 0000000..16fb64d
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_FunctionPrecondition.md
@@ -0,0 +1,26 @@
+---
+title: "Error: possible violation of function precondition for op(v)"
+---
+
+Here is code that provoked this error (though the error message as been made more specific in later releases):
+```dafny
+ghost function Eval(): string -> bool {
+   EvalOperator(Dummy)
+}
+
+ghost function EvalOperator(op: string -> bool): string -> bool 
+{
+  (v: string) => op(v)
+}
+
+function Dummy(str: string): bool
+  requires str == []
+```
+
+The problem has to do with [arrow types](../../DafnyRef/DafnyRef#sec-arrow-types).
+In particular here, the argument of `EvalOperator` takes a `->` function, which is a total, heap-independent function.
+However, its argument, `Dummy`, is a partial, heap-independent function, because it has a precondition.
+If you want `EvalOperator` to be flexible enough to take partial functions, then declare `op` to have the type
+`string --> bool`.
+
+There is more on arrow types in the [reference manual](../DafnyRef/DafnyRef.html#sec-arrow-subset-types);
diff --git a/v4.10.0/HowToFAQ/ERROR_InsufficientReads.dfy b/v4.10.0/HowToFAQ/ERROR_InsufficientReads.dfy
new file mode 100644
index 0000000..f511237
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_InsufficientReads.dfy
@@ -0,0 +1,23 @@
+class {:autocontracts} A {
+    ghost predicate Valid() {
+        true
+    }
+
+    constructor() {
+        // no-op
+    }
+}
+
+class {:autocontracts} B {
+    var things: set<A>
+
+    ghost predicate Valid()
+        reads things
+    {
+        forall thing | thing in things :: thing.Valid()
+    }
+
+    constructor() {
+        things := {};
+    }
+}
diff --git a/v4.10.0/HowToFAQ/ERROR_InsufficientReads.md b/v4.10.0/HowToFAQ/ERROR_InsufficientReads.md
new file mode 100644
index 0000000..a2a80c1
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_InsufficientReads.md
@@ -0,0 +1,53 @@
+---
+title: "Error: insufficient reads clause to invoke function"
+---
+
+Example: This code
+```
+{% include_relative ERROR_InsufficientReads.dfy %}
+```
+produces this output:
+```
+{% include_relative ERROR_InsufficientReads.txt %}
+```
+
+This error message indicates that a nested call of a function needs a bigger `reads` set than its enclosing function provides.
+
+Another situation provoking this error is this:
+```dafny
+class A {
+  var x: int
+  predicate IsSpecial() reads this {
+    x == 2
+  }
+}
+type Ap  = x : A | x.IsSpecial() witness *
+```
+In this case the error message is a bit misleading. The real problem is that the predicate in the subset declaration (that is, `x.IsSpecial()`)
+is not allowed to depend on the heap, as `IsSpecial` does. If such a dependency were allowed, then changing some values in the heap could
+possibly change the predicate such that a value which was allowed in the subset type now suddenly is not. This situation would be a disaster for both
+soundness and ease of reasoning.
+
+Another variation on the above is this example:
+```dafny
+trait A { var x: int }
+type AZero = a: A | a.x == 0 witness *
+```
+where again the predicate depends on a heap variable `x`, which Dafny does not permit.
+
+And a final example:
+```dafny
+datatype Foo = Foo | Foofoo
+
+class Bar {
+  var foo: set<Foo>;
+  function method getFoo(): set<Foo> { this.foo }
+}
+```
+which produces `Error: insufficient reads clause to read field`. In this case the function `getFoo` does indeed have an insufficient reads clause, as
+it does not have one, yet it reads a field of `this`. You can insert either `reads this` or ``reads this`foo`` before the left brace.
+
+The code in the original question is fixed like this:
+```
+{% include_relative ERROR_InsufficientReads1.dfy %}
+```
diff --git a/v4.10.0/HowToFAQ/ERROR_InsufficientReads.txt b/v4.10.0/HowToFAQ/ERROR_InsufficientReads.txt
new file mode 100644
index 0000000..63bac10
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_InsufficientReads.txt
@@ -0,0 +1,3 @@
+ERROR_InsufficientReads.dfy(17,48): Error: insufficient reads clause to invoke function
+
+Dafny program verifier finished with 3 verified, 1 error
diff --git a/v4.10.0/HowToFAQ/ERROR_InsufficientReads1.dfy b/v4.10.0/HowToFAQ/ERROR_InsufficientReads1.dfy
new file mode 100644
index 0000000..41589a0
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_InsufficientReads1.dfy
@@ -0,0 +1,23 @@
+class A {
+    predicate Valid() reads this {
+        true
+    }
+
+    constructor() {
+        // no-op
+    }
+}
+
+class B {
+    var things: set<A>
+
+    predicate Valid()
+        reads this, things
+    {
+        forall thing | thing in things :: thing.Valid()
+    }
+
+    constructor() {
+        things := {};
+    }
+}
diff --git a/v4.10.0/HowToFAQ/ERROR_IsFailure.md b/v4.10.0/HowToFAQ/ERROR_IsFailure.md
new file mode 100644
index 0000000..861fd0b
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_IsFailure.md
@@ -0,0 +1,6 @@
+---
+title: "Error: type ? does not have a member IsFailure"
+---
+
+The `IsFailure` member is a necessary part of [_failure-compatible_ types](../..//DafnyRef/DafnyRef#sec-failure-compatible-types), which are used with the `:-` operator.
+See the discussion in the reference manual for more detail.
diff --git a/v4.10.0/HowToFAQ/ERROR_ModifiesValue.dfy b/v4.10.0/HowToFAQ/ERROR_ModifiesValue.dfy
new file mode 100644
index 0000000..9fdfdf9
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_ModifiesValue.dfy
@@ -0,0 +1,5 @@
+class A {}
+method test(m: map<int,A>) 
+  modifies m;
+{
+}
diff --git a/v4.10.0/HowToFAQ/ERROR_ModifiesValue.md b/v4.10.0/HowToFAQ/ERROR_ModifiesValue.md
new file mode 100644
index 0000000..af36562
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_ModifiesValue.md
@@ -0,0 +1,20 @@
+---
+title: "Error: a modifies-clause expression must denote an object or a set/iset/multiset/seq of objects (instead got map<int, A>)"
+---
+
+
+Here is example code that produces the given error message:
+```dafny
+{% include_relative ERROR_ModifiesValue.dfy %}
+```
+
+The expression in the modifies clause is expected to be a set of object references.
+It is permitted also to be a comma-separated list of object references or sets or sequences of such references.
+In this example, the expression is none of these; instead it is a `map`.
+`map`s are values and so are not modified; new values are created, just like an integer is not modified --- one computes a different integer value.
+
+If the intent here is to say that any of the `A` objects stored in the map may be modified, then one has to construct a set of all those objects.
+For a map, there is an easy way to do this: just say `m.Values`, as in this rewrite of the example:
+```
+{% include_relative ERROR_ModifiesValue1.dfy %}
+```
diff --git a/v4.10.0/HowToFAQ/ERROR_ModifiesValue.txt b/v4.10.0/HowToFAQ/ERROR_ModifiesValue.txt
new file mode 100644
index 0000000..d6f94b1
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_ModifiesValue.txt
@@ -0,0 +1,2 @@
+ERROR_ModifiesValue.dfy(3,11): Error: a modifies-clause expression must denote an object or a set/iset/multiset/seq of objects (instead got map<int, A>)
+1 resolution/type errors detected in ERROR_ModifiesValue.dfy
diff --git a/v4.10.0/HowToFAQ/ERROR_ModifiesValue1.dfy b/v4.10.0/HowToFAQ/ERROR_ModifiesValue1.dfy
new file mode 100644
index 0000000..c06d538
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_ModifiesValue1.dfy
@@ -0,0 +1,5 @@
+class A {}
+method test(m: map<int,A>) 
+  modifies m.Values;
+{
+}
diff --git a/v4.10.0/HowToFAQ/ERROR_MutableField.dfy b/v4.10.0/HowToFAQ/ERROR_MutableField.dfy
new file mode 100644
index 0000000..5b7a613
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_MutableField.dfy
@@ -0,0 +1,15 @@
+module M {
+    export
+        provides A, 
+                 A.foo, // want to export foo, which refers to x
+                 A.x    // to make export set self-consistent, need to export x
+
+    class A {
+        var x: int
+        function method foo(): int
+          reads this
+        {
+            x
+        }
+    }
+}
diff --git a/v4.10.0/HowToFAQ/ERROR_MutableField.md b/v4.10.0/HowToFAQ/ERROR_MutableField.md
new file mode 100644
index 0000000..98f358b
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_MutableField.md
@@ -0,0 +1,28 @@
+---
+title: Cannot export mutable field 'x' without revealing its enclosing class 'A'
+---
+
+An example of this error is the code
+```dafny
+{% include_relative ERROR_MutableField.dfy %}
+```
+which produces the error
+```text
+{% include_relative ERROR_MutableField.txt %}
+```
+
+By only providing `A`, importers will know that `A` is a type, 
+but won’t know that it is a reference type (here, a class). 
+This makes it illegal to refer to a mutable field such as in the reads clause. 
+So, you have to export A by revealing it.
+
+Note, `export reveals A` does not export the members of A 
+(except, it does export the anonymous constructor of A, if there is one). 
+So, you still have control over which members of A to export.
+
+The following code verifies without error:
+```dafny
+{% include_relative ERROR_MutableField1.dfy %}
+```
+
+
diff --git a/v4.10.0/HowToFAQ/ERROR_MutableField.txt b/v4.10.0/HowToFAQ/ERROR_MutableField.txt
new file mode 100644
index 0000000..77e4dc9
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_MutableField.txt
@@ -0,0 +1,2 @@
+ERROR_MutableField.dfy(5,19): Error: Cannot export mutable field 'x' without revealing its enclosing class 'A'
+1 resolution/type errors detected in ERROR_MutableField.dfy
diff --git a/v4.10.0/HowToFAQ/ERROR_MutableField1.dfy b/v4.10.0/HowToFAQ/ERROR_MutableField1.dfy
new file mode 100644
index 0000000..f9635aa
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_MutableField1.dfy
@@ -0,0 +1,16 @@
+module M {
+    export
+        reveals A
+        provides  
+                 A.foo, // want to export foo, which refers to x
+                 A.x    // to make export set self-consistent, need to export x
+
+    class A {
+        var x: int
+        function method foo(): int
+          reads this
+        {
+            x
+        }
+    }
+}
diff --git a/v4.10.0/HowToFAQ/ERROR_NoLHS.dfy b/v4.10.0/HowToFAQ/ERROR_NoLHS.dfy
new file mode 100644
index 0000000..726d8af
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_NoLHS.dfy
@@ -0,0 +1,4 @@
+method PickKey<K, V>(m: map<K, V>) returns (ret: K) {
+  var k :| k in m;
+  return k;
+}
diff --git a/v4.10.0/HowToFAQ/ERROR_NoLHS.md b/v4.10.0/HowToFAQ/ERROR_NoLHS.md
new file mode 100644
index 0000000..3ac7658
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_NoLHS.md
@@ -0,0 +1,21 @@
+---
+title: "Error: cannot establish the existence of LHS values that satisfy the such-that predicate"
+---
+
+Here is example code that produces this error:
+```dafny
+{% include_relative ERROR_NoLHS.dfy %}
+```
+
+
+When a _such-that_ (`:|`) initialization is used, Dafny must be able to establish that there is at least one value
+that satisfies the predicate given on the RHS. 
+That is, in this case, it must prove
+`assert exists k :: k in m;`.
+But for this example, if the map `m` is empty, there is no such value,
+so the error message results.
+
+If you add a precondition that the map is non-empty, then the error is gone:
+```
+{% include_relative ERROR_NoLHS1.dfy %}
+```
diff --git a/v4.10.0/HowToFAQ/ERROR_NoLHS.txt b/v4.10.0/HowToFAQ/ERROR_NoLHS.txt
new file mode 100644
index 0000000..90dcfa6
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_NoLHS.txt
@@ -0,0 +1,3 @@
+ERROR_NoLHS.dfy(2,8): Error: cannot establish the existence of LHS values that satisfy the such-that predicate
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/HowToFAQ/ERROR_NoLHS1.dfy b/v4.10.0/HowToFAQ/ERROR_NoLHS1.dfy
new file mode 100644
index 0000000..f089c24
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_NoLHS1.dfy
@@ -0,0 +1,6 @@
+method PickKey<K, V>(m: map<K, V>) returns (ret: K) 
+  requires |m.Keys| > 0
+{
+  var k :| k in m;
+  return k;
+}
diff --git a/v4.10.0/HowToFAQ/ERROR_NoLHS1.txt b/v4.10.0/HowToFAQ/ERROR_NoLHS1.txt
new file mode 100644
index 0000000..32a40e8
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_NoLHS1.txt
@@ -0,0 +1,3 @@
+
+Dafny program verifier finished with 1 verified, 0 errors
+Compiled assembly into ERROR_NoLHS1.dll
diff --git a/v4.10.0/HowToFAQ/ERROR_NoReferenceTypeParameter.md b/v4.10.0/HowToFAQ/ERROR_NoReferenceTypeParameter.md
new file mode 100644
index 0000000..8320b0d
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_NoReferenceTypeParameter.md
@@ -0,0 +1,21 @@
+---
+title: "Error: type parameter 0 (K) passed to type A must support no references"
+---
+
+Ordinarily, a type parameter `X` can be instantiated with any type.
+
+However, in some cases, it is desirable to say that `X` is only allowed to be instantiated by types that have certain characteristics. One such characteristic is that the type does not have any references.
+
+A “reference”, here, refers to a type that is or contains a reference type. Reference types are class and trait types. So, if a type parameter is restricted to only “no reference” types, then you cannot instantiate it with a class type or a trait type.
+A datatype can also include a reference. For example,
+datatype MyDatatype = Ctor(x: MyClass)
+More subtly, a type
+datatype D<X> = Ctor(x: X)
+might also contain a reference type if `X` is a type that can contain a reference type.
+
+
+If you’re getting the “no reference” error, then you’re either trying to write an unbounded quantifier over a type that may contain references, or you’re trying to use a type that may contain references to instantiate a type parameter restricted to no-reference types.
+Type characteristics that a type parameter must satisfy are written in parentheses after the type name and are separated by commas. For example, to say that a type parameter `X` must not contain any references, you would declare it as `X(!new)`. To further ensure it supports compile-time equality, you would declare it as `X(!new,==)`.
+Presumably, you’re trying to instantiate a type parameter like `X(!new)` with a type that may contain references.
+
+There is more discussion of type parameter characteristics in the [reference manual](../../DafnyRef/DafnyRef#sec-type-parameters).
diff --git a/v4.10.0/HowToFAQ/ERROR_NoTriggers.md b/v4.10.0/HowToFAQ/ERROR_NoTriggers.md
new file mode 100644
index 0000000..a3f0230
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_NoTriggers.md
@@ -0,0 +1,37 @@
+---
+title: "Warning: /!\ No terms found to trigger on."
+---
+
+This warning occurred with the following code:
+```dafny
+predicate ExistsSingleInstance(s : string32, delim : string32)
+  {
+    exists pos : nat ::
+      (pos <= |s| - |delim| && forall x : nat :: x < |delim| ==> s[pos + x] == delim[x]) &&
+      forall pos' : nat :: (pos' <= |s| - |delim| && forall y : nat :: y < |delim| ==> s[pos' + y] == delim[y]) ==> pos == pos'
+  }
+```
+
+The verifier uses quantifications by finding good ways to instantiate them.
+More precisely, it uses `forall` quantifiers by instantiating them and it proves `exists` quantifiers by finding witnesses for them.
+The warning you’re getting says that nothing stands out to the verifier as a good way to figure out good instantiations.
+
+In the case of `pos`, this stems from the fact that a good instantiation would be some `pos` for which the verifier already knows either `pos <= …` or `forall x :: …`, the former of which is not specific enough and the latter is too complicated for it to consider.
+
+The “no trigger” warning is fixed by this refactoring:
+```dafny
+predicate SingleInstance(s: string, delim: string, pos: nat)
+{
+  pos <= |s| - |delim| &&
+  forall x : nat :: x < |delim| ==> s[pos + x] == delim[x]
+}
+
+predicate ExistsSingleInstance'(s: string, delim: string)
+{
+  exists pos : nat ::
+    SingleInstance(s, delim, pos) &&
+    forall pos' : nat :: SingleInstance(s, delim, pos') ==> pos == pos'
+}
+```
+
+One more remark: The “no trigger” warning should be taken seriously, because it’s usually a sign that there will be problems with using the formula and/or problems with verification performance.
diff --git a/v4.10.0/HowToFAQ/ERROR_PostconditionLemma.dfy b/v4.10.0/HowToFAQ/ERROR_PostconditionLemma.dfy
new file mode 100644
index 0000000..0e647d4
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_PostconditionLemma.dfy
@@ -0,0 +1,6 @@
+lemma L() {}
+
+method test() 
+  ensures L(); true
+{
+}
diff --git a/v4.10.0/HowToFAQ/ERROR_PostconditionLemma.md b/v4.10.0/HowToFAQ/ERROR_PostconditionLemma.md
new file mode 100644
index 0000000..8c8ac81
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_PostconditionLemma.md
@@ -0,0 +1,21 @@
+---
+title: "Error: this symbol not expected in Dafny"
+---
+
+This error message is not clear and may come from a variety of sources. Here is one:
+```dafny
+{% include_relative ERROR_PostconditionLemma.dfy %}
+```
+which produces 
+```text
+{% include_relative ERROR_PostconditionLemma.txt %}
+```
+
+The error message points to the token `true` as the unexpected symbol.
+`true` is definitely a legitimate symbol in Dafny.
+
+The problem is that the `;` in the `ensures` clause is seen as the (optional) semicolon that can end
+the clause. Thus the `true` is interpreted as the (illegal) start to a new clause (or a `{` to start the body).
+
+The correct way to include a lemma with the postcondition is to use parentheses:
+`ensures (L(); true)
diff --git a/v4.10.0/HowToFAQ/ERROR_PostconditionLemma.txt b/v4.10.0/HowToFAQ/ERROR_PostconditionLemma.txt
new file mode 100644
index 0000000..9eb1af5
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_PostconditionLemma.txt
@@ -0,0 +1,2 @@
+ERROR_PostconditionLemma.dfy(4,15): Error: this symbol not expected in Dafny
+1 parse errors detected in ERROR_PostconditionLemma.dfy
diff --git a/v4.10.0/HowToFAQ/ERROR_ProverError1.md b/v4.10.0/HowToFAQ/ERROR_ProverError1.md
new file mode 100644
index 0000000..4d631c3
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_ProverError1.md
@@ -0,0 +1,8 @@
+---
+title: "Prover error: Unexpected prover response (getting info about 'unknown' response): (:reason-unknown 'Overflow encountered when expanding old_vector')"
+---
+
+This error is caused by a bug in the Z3 backend tool used by Dafny. 
+As of v3.9.0 there is work underway to update Z3 to a more recent version.
+Until then, the best you can do is to try to change the verification condition sent to Z3 by splitting it up, using various Dafny options and attributes like `{:split_here}`, `{:focus}`, `/vcsSplitOnEveryAssert`, `/vcsMaxSplits`, and `/randomSeed`.
+
diff --git a/v4.10.0/HowToFAQ/ERROR_Rbrace.md b/v4.10.0/HowToFAQ/ERROR_Rbrace.md
new file mode 100644
index 0000000..b069a35
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_Rbrace.md
@@ -0,0 +1,27 @@
+---
+title: "Error: rbrace expected"
+---
+
+The error "rbrace expected"
+is a common occurence caused by some parsing error within a brace-enclosed block, such as a module declaration, a class declaration, or a block statement.
+The error means that the parser does not expect whatever characters it next sees. Consequently, the parser just says that it expects the block to be closed by a right curly brace (`}`).
+Indeed, one cause might be an inadvertently omitted right brace.
+
+Here are some other examples:
+
+- A misspelled keyword introducing the next declaration
+```
+{% include_relative ERROR_Rbrace4.dfy %}
+```
+- A `const` initializer follows ':=', not '='
+```
+{% include_relative ERROR_Rbrace1.dfy %}
+```
+- A field (`var`) does not take an initializer
+```
+{% include_relative ERROR_Rbrace3.dfy %}
+```
+- A field (`var`) does not take an initializer, and if it did it would follow a `:=`, not a `=`
+```
+{% include_relative ERROR_Rbrace2.dfy %}
+```
diff --git a/v4.10.0/HowToFAQ/ERROR_Rbrace1.dfy b/v4.10.0/HowToFAQ/ERROR_Rbrace1.dfy
new file mode 100644
index 0000000..844d28c
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_Rbrace1.dfy
@@ -0,0 +1,3 @@
+module A {
+  const x: int= 4; 
+}
diff --git a/v4.10.0/HowToFAQ/ERROR_Rbrace1.txt b/v4.10.0/HowToFAQ/ERROR_Rbrace1.txt
new file mode 100644
index 0000000..7440f65
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_Rbrace1.txt
@@ -0,0 +1,2 @@
+ERROR_Rbrace1.dfy(2,14): Error: rbrace expected
+1 parse errors detected in ERROR_Rbrace1.dfy
diff --git a/v4.10.0/HowToFAQ/ERROR_Rbrace2.dfy b/v4.10.0/HowToFAQ/ERROR_Rbrace2.dfy
new file mode 100644
index 0000000..f08eac5
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_Rbrace2.dfy
@@ -0,0 +1,3 @@
+class A {
+  var x: int = 5;
+}
diff --git a/v4.10.0/HowToFAQ/ERROR_Rbrace2.txt b/v4.10.0/HowToFAQ/ERROR_Rbrace2.txt
new file mode 100644
index 0000000..b2e7d5e
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_Rbrace2.txt
@@ -0,0 +1,2 @@
+ERROR_Rbrace2.dfy(2,13): Error: rbrace expected
+1 parse errors detected in ERROR_Rbrace2.dfy
diff --git a/v4.10.0/HowToFAQ/ERROR_Rbrace3.dfy b/v4.10.0/HowToFAQ/ERROR_Rbrace3.dfy
new file mode 100644
index 0000000..08c8b71
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_Rbrace3.dfy
@@ -0,0 +1,3 @@
+class B {
+  var x: int := 5
+}
diff --git a/v4.10.0/HowToFAQ/ERROR_Rbrace3.txt b/v4.10.0/HowToFAQ/ERROR_Rbrace3.txt
new file mode 100644
index 0000000..c71f892
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_Rbrace3.txt
@@ -0,0 +1,2 @@
+ERROR_Rbrace3.dfy(2,13): Error: rbrace expected
+1 parse errors detected in ERROR_Rbrace3.dfy
diff --git a/v4.10.0/HowToFAQ/ERROR_Rbrace4.dfy b/v4.10.0/HowToFAQ/ERROR_Rbrace4.dfy
new file mode 100644
index 0000000..4039981
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_Rbrace4.dfy
@@ -0,0 +1,4 @@
+module A {
+  method m() {}
+  mthod  n() {}
+}
diff --git a/v4.10.0/HowToFAQ/ERROR_Rbrace4.txt b/v4.10.0/HowToFAQ/ERROR_Rbrace4.txt
new file mode 100644
index 0000000..65f32d4
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_Rbrace4.txt
@@ -0,0 +1,2 @@
+ERROR_Rbrace4.dfy(3,2): Error: rbrace expected
+1 parse errors detected in ERROR_Rbrace4.dfy
diff --git a/v4.10.0/HowToFAQ/ERROR_SeqComp.dfy b/v4.10.0/HowToFAQ/ERROR_SeqComp.dfy
new file mode 100644
index 0000000..6f39c6d
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_SeqComp.dfy
@@ -0,0 +1,9 @@
+function f(i: int): int
+  requires i < 10 
+{
+  i
+}
+
+method test() {
+  var s := seq(5, i => f(i));
+}
diff --git a/v4.10.0/HowToFAQ/ERROR_SeqComp.md b/v4.10.0/HowToFAQ/ERROR_SeqComp.md
new file mode 100644
index 0000000..67bb289
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_SeqComp.md
@@ -0,0 +1,18 @@
+---
+title: "Error: function precondition might not hold"
+---
+
+This error can occur when trying to write a sequence comprehension expression like
+```dafny
+{% include_relative ERROR_SeqComp.dfy %}
+```
+which produces
+```text
+{% include_relative ERROR_SeqComp.txt %}
+```
+
+The problem is that current Dafny does not implicitly impose the condition that the function used to initialize the 
+sequence elements is only called with `nat` values less than the size of the new sequence. That condition has to be made explicit:
+```dafny
+{% include_relative ERROR_SeqComp1.dfy %}
+```
diff --git a/v4.10.0/HowToFAQ/ERROR_SeqComp.txt b/v4.10.0/HowToFAQ/ERROR_SeqComp.txt
new file mode 100644
index 0000000..151a22a
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_SeqComp.txt
@@ -0,0 +1,4 @@
+ERROR_SeqComp.dfy(8,23): Error: function precondition might not hold
+ERROR_SeqComp.dfy(2,13): Related location
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/HowToFAQ/ERROR_SeqComp1.dfy b/v4.10.0/HowToFAQ/ERROR_SeqComp1.dfy
new file mode 100644
index 0000000..2733e0b
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_SeqComp1.dfy
@@ -0,0 +1,9 @@
+function f(i: int): int
+  requires i < 10 
+{
+  i
+}
+
+method test() {
+  var s := seq(5, i requires i < 10 => f(i));
+}
diff --git a/v4.10.0/HowToFAQ/ERROR_SeqComp1.txt b/v4.10.0/HowToFAQ/ERROR_SeqComp1.txt
new file mode 100644
index 0000000..2d92ac5
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_SeqComp1.txt
@@ -0,0 +1,3 @@
+
+Dafny program verifier finished with 1 verified, 0 errors
+Compiled assembly into ERROR_SeqComp1.dll
diff --git a/v4.10.0/HowToFAQ/ERROR_SubsetConstraints.md b/v4.10.0/HowToFAQ/ERROR_SubsetConstraints.md
new file mode 100644
index 0000000..389feab
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_SubsetConstraints.md
@@ -0,0 +1,29 @@
+---
+title: "Error: value does not satisfy the subset constraints of '(seq<uint8>, Materials.EncryptedDataKey) -> seq<uint8>' (possible cause: it may be partial or have read effects)"
+---
+
+Here is an example of submitted code that produced this error:
+```dafny
+function EncryptedDataKeys(edks: Msg.EncryptedDataKeys):  (ret: seq<uint8>)
+  requires edks.Valid()
+{
+    UInt16ToSeq(|edks.entries| as uint16) + FoldLeft(FoldEncryptedDataKey, [], edks.entries)
+}
+
+function FoldEncryptedDataKey(acc: seq<uint8>, edk: Materials.EncryptedDataKey): (ret: seq<uint8>)
+  requires edk.Valid()
+{
+    acc + edk.providerID + edk.providerInfo + edk.ciphertext
+}
+```
+
+The general cause of this error is supplying some value to a situation where (a) the type of the target (declared variable, formal argument) is a subset type and (b) Dafny cannot prove that the value falls within the predicate for the subset type. In this example code, `uint8` is likely a subset type and could be at fault here.
+But more likely and less obvious is supplying `FoldEncryptedDataKey` as the actual argument to `FoldLeft`.
+
+The signature of `FoldLeft` is `function {:opaque} FoldLeft<A,T>(f: (A, T) -> A, init: A, s: seq<T>): A`.
+Note that the type of the function uses a `->` arrow, namely a total, heap-independent function (no requires or reads clause).
+But `FoldEncryptedDataKey` does have a requires clause. Since `->` functions are a subset type of partial, heap-dependent `~>` functions,
+the error message complains about the subset type constraints not being satisfied.
+
+These various arrow types are described in the [release notes](https://github.com/dafny-lang/dafny/releases/tag/v2.0.0)
+when they were first added to the language. They are also documented in the [reference manual](../DafnyRef/DafnyRef#sec-arrow-types).
diff --git a/v4.10.0/HowToFAQ/ERROR_Z3.md b/v4.10.0/HowToFAQ/ERROR_Z3.md
new file mode 100644
index 0000000..70d24d6
--- /dev/null
+++ b/v4.10.0/HowToFAQ/ERROR_Z3.md
@@ -0,0 +1,12 @@
+---
+title: "Error: z3 cannot be opened because the developer cannot be verified"
+---
+
+This error occurs on a Mac after a new installation of Dafny, with Z3.
+It is a result of security policies on the Mac.
+
+You can fix the result by running the shell script `allow_on_mac.sh`
+that is part of the release.
+
+The problem can arise with other components of Dafny as well.
+
diff --git a/v4.10.0/HowToFAQ/Errors-CommandLine.md b/v4.10.0/HowToFAQ/Errors-CommandLine.md
new file mode 100644
index 0000000..b7308b2
--- /dev/null
+++ b/v4.10.0/HowToFAQ/Errors-CommandLine.md
@@ -0,0 +1,260 @@
+
+<!-- %default %useHeadings %check-ids -->
+
+<!-- DafnyDriver/DafnyDriver.cs -->
+
+## **Error: No compiler found for target _target_; expecting one of _known_** {#cli_unknown_compiler}
+
+<!-- %check-cli %err -->
+```bash
+dafny build -t:zzz
+```
+
+The `-t` or `--target` options specifies which backend compiler to use for 
+those dafny commands that compile dafny to other programming languages. 
+This error message says that the named language is not supported.
+
+## **Error: no Dafny source files were specified as input** {#cli_no_files}
+
+<!-- %check-cli -->
+```bash
+dafny resolve
+```
+
+Any valid dafny invocation requires at least one .dfy file. 
+The only exceptions are the special commands like `--help` and `--version`.
+
+
+## ***** Error: _file_: Central Directory corrupt.** {#cli_bad_doo}
+
+<!-- %no-check --> <!-- TODO - not working on CI because of extra file -->
+```bash
+dafny resolve --use-basename-for-filename testsource/test1.dfy testsource/BadDoo.doo
+```
+
+This error message says that the `.doo` file was not able to be successfully unzipped.
+It indicates that the file is either corrupted or misnamed (it should not be a .doo file).
+
+## **Error: file _name_ not found** {#cli_file_not_found}
+
+<!-- %check-cli -->
+```bash
+dafny build -t:java testfiles/a.dfy zzz.java
+```
+
+This error message simply states that the named file could not be found
+by the dafny tool. Note that files on the command-line are named
+relative to the current working directory of the shell in which the
+command is invoked or are absolute file paths. In particular, this
+instance of this error message identifies non-.dfy files that still
+have permitted extensions (according to the target platform) but
+cannot be found in the file system.
+    
+## **Error: command-line argument '--zzz' is neither a recognized option nor a Dafny input file (.dfy, .doo, or .toml).** {#cli_bad_option}
+
+<!-- %check-cli -->
+```bash
+dafny resolve --zzz
+```
+
+The named command-line argument is either a misspelled option or a filename
+in an unrecognized form (e.g., with no filename extension).
+An invalid option with a filename as value can look like either one, such as `--out:a.doo`.
+
+## **Error: unknown switch: -zzz** {#cli_bad_option_legacy}
+
+<!-- %check-cli %err %first -->
+```bash
+dafny -zzz
+```
+
+The named command-line argument is either a misspelled option or a filename
+in an unrecognized form (e.g., with no filename extension).
+
+## **Error: '_name_': Filename extension '_ext_' is not supported. Input files must be Dafny programs (.dfy) or supported auxiliary files (_ext_)** {#cli_bad_extension}
+
+<!-- %check-cli -->
+```bash
+dafny build z.zzz
+```
+
+Dafny programs are in files with a `.dfy` extension.
+A Dafny program may be combined with other files appropriate to the
+target programming language being used, such as `.dll` files for C#
+or `.java` or `.jar` files for Java. The stated extension is not
+recognized.
+
+<!--
+## **Error: The command-line contains no .dfy files** {#cli-no-dafny-file_2}
+
+ TODO - this appears to be no longer reachable -->
+
+<!--
+## **Error: The command-line contains no .dfy files** {#cli-no-dafny-folder}
+
+ TODO - this appears to be no longer reachable -->
+
+## **Error: Only one .dfy file can be specified for testing** {#cli-test-generation}
+
+<!-- %no-check -->
+```bash
+dafny generate-tests block x.dfy y.dfy
+```
+
+The test-generation tool is still experimental.
+However, it is expected to take just a single `.dfy` file as input.
+
+
+## **Error: ModelView file must be specified when attempting counterexample extraction** {#cli-counterexample}
+
+<!-- %no-check --> <!-- TODO - not working on CI because of extra file -->
+```bash
+dafny /extractCounterexample testsource/test1.dfy
+```
+
+When requesting a counterexample to be generated, some additional options must be specified:
+a model view file using `/mv:<file>` and
+`/proverOpt:O:model.completion=true` and
+`/proverOpt:O:model_compress=false` (for z3 version < 4.8.7) or
+`/proverOpt:O:model.compact=false `(for z3 version >= 4.8.7).
+
+The model view file is an arbitrary non-existent file that is created and used as a temporary file
+during the creation of the counterexamples.
+
+## **Error: Feature not supported for this compilation target: _feature_** {#f_unsupported_feature}
+
+<!-- %check-run %exit 3 %options -t:cpp --unicode-char=true -->
+```dafny
+method m() {}
+```
+
+The backends that Dafny supports have their own limitations on the ability to implement some of Dafny's features. 
+This error message indicates that the Dafny program in question has hit one of these limitations. 
+Some limitations are inherent in the language, but others are a question of implementation priorities to date.
+If the feature is an important one for your project, communicate with the Dafny team to determine if the 
+omission can be corrected.
+
+## **Please use the '--check' and/or '--print' option as stdin cannot be formatted in place.** {#f_missing_format_option}
+
+<!-- %check-cli %err %first -->
+```bash
+dafny format --stdin
+```
+
+The dafny `format` command formats its input dafny program. The default behavior is to format the input files
+in place. It can instead just check that the file is formatted (`--check`) or print the formatted version to 
+stdout (`--print`). If the `--stdin` option is used, the input dafny program is taken from stdin, in which case
+it cannot be formatted in place, so either the `--check` or `--print` options must be used in conjunction with `--stdin`.
+
+## **The file _file_ needs to be formatted** {#f_file_needs_formatting}
+
+<!-- %check-cli -->
+dafny format testsource/test2.dfy
+-->
+
+This message is not an error. Rather it is the expected output of the `dafny format` command when
+`--check` is used: it states that the named input file is not formatted according to Dafny style.
+You can use `--print` to see the output. Also for an input file `test.dfy`, the command
+`dafny format --print test.dfy | diff test.dfy -` provides a diff between the original and the formatted files
+(without making any changes).
+
+<!-- DafnyCore/DafnyOptions.cs -->
+
+## **Error: Invalid argument _argument_ to option print-mode_help_** {#cli_print_mode}
+
+<!-- %check-cli %err %first -->
+```bash 
+dafny -printMode:zzz
+```
+
+The `printMode` option has a number of alternative values that are spelled out in the help document (`dafny -?`).
+It is also recommended to use the new CLI, with the option `--print-mode`.
+
+## **Error: Unsupported diagnostic format: _format_; expecting one of 'json', 'text'.** {#cli_diagnostic_format}
+
+<!-- %check-cli %err %first -->
+```bash
+dafny /diagnosticsFormat:zzz
+```
+
+This option controls the format of error messages. Typically the 'text' format is used (and is the default).
+But 'json' is also an option. Any other choice is illegal and results in this error message.
+
+## **Error: Invalid argument _argument_ to option functionSyntax_help_** {#cli_function_syntax}
+
+<!-- %check-cli %err %first -->
+```bash 
+dafny -functionSyntax:z
+```
+
+The `functionSyntax` option has a number of alternative values that are spelled out in the help document (`dafny -?`),
+most commonly the values '3' and '4' ('4' for dafny version 4.0 and later).
+It is also recommended to use the new CLI, with the option `--function-syntax`.
+
+## **Error: Invalid argument _argument_ to option quantifierSyntax_help_** {#cli_quantifier_syntax}
+
+<!-- %check-cli %err %first -->
+```bash 
+dafny -quantifierSyntax:z
+```
+
+The `quantifierSyntax ` option has a number of alternative values that are spelled out in the help document (`dafny -?`),
+most commonly the values '3' and '4' ('4' for dafny version 4.0 and later).
+It is also recommended to use the new CLI, with the option `--quantifier-syntax`.
+
+## **Error: Invalid argument _argument_ to option verificationLogger_help_** {#cli_verification_logger}
+
+<!-- %verify %err %first -->
+```bash 
+--log-format:z
+```
+
+The `--log-format` option has these alternatives: trx, csv, text.
+
+## **Error: Invalid argument _argument_ to option testContracts_help_** {#cli_test_contracts}
+
+<!-- %check-cli %err %first -->
+```bash 
+dafny -testContracts:z
+```
+
+The `testContracts` option has these alternatives: Externs, TestedExterns.
+The similar option in the new CLI is `--test-assumptions`.
+
+## **Error: Invalid argument _argument_ to option printIncludes_help_** {#cli_print_includes}
+
+<!-- %check-cli %err %first -->
+```bash 
+dafny -printIncludes:z
+```
+
+The `printIncludes` option has these alternatives: None, Immediate, Transitive.
+
+## **Argument '_argument_' not recognized. _Alternatives_** {#cli_quantifier_syntax}
+
+<!-- %no-check TODO: Outputs the help document  -->
+```bash 
+dafny resolve --show-snippets:false --quantifier-syntax:2 null.dfy
+```
+
+This is a generic error message about command-line arguments,
+indicating that the value given (after the `:` or `=` or as the next command-line argument) is not recognized as a valid value for the given option.
+
+The correct spellings of the valid values should be stated 
+in the help document (`dafny -?` or `dafny <command> -h`).
+
+
+<!-- In boogie option processing -->
+
+## **Error: unknown switch: _switch_** {#cli_unknown_legacy_option}
+
+<!-- %check-cli %err %first -->
+```bash
+dafny --stdin
+```
+
+This error results from using an unknown command-line option in the 
+legacy CLI, such as one that begins with a double hyphen.
+It is recommended to use the new CLI in which the command-line begins
+with an action verb (e.g., resolve, verify, run) followed by 
+files, folders, and options written with double-hyphen prefixes.
diff --git a/v4.10.0/HowToFAQ/Errors-Compiler.md b/v4.10.0/HowToFAQ/Errors-Compiler.md
new file mode 100644
index 0000000..da243df
--- /dev/null
+++ b/v4.10.0/HowToFAQ/Errors-Compiler.md
@@ -0,0 +1,513 @@
+<!-- %default %useHeadings %check-ids -->
+
+<!-- The file Errors-Compiler.template is used along with Compiler-Errors.cs to produce Errors-Compiler.md.
+     Errors-Compiler.template holds the structure of the markdown file and the examples of each error message.
+     Compiler-Errors.cs holds the text of error explanations, so they are just in the source code rather than duplicated also in markdown.
+     The content of Errors-Compiler.template and Compiler-Errors.cs are tied together by the errorids.
+     Thus Errors-Compiler.md is a generated file that should not be edited itself.
+     The program make-error-catalog does the file generation.
+-->
+
+<!-- DafnyCore/Compilers/ExecutableBackend.cs -->
+
+## **Error: _process_ Process exited with exit code _code_** {#c_process_exit}
+
+The dafny compiler prepares a representation of the Dafny program in the desired target programming
+language and then invokes the target language's compiler on those files as a subsidiary process.
+This error message indicates that the sub-process terminated with an error of some sort.
+This should not ordinarily happen. Some possible causes are
+- lack of resources that caused the underlying compiler to fail
+- lack of or corrupted installation of the underlying compiler
+- a bug in dafny whereby the source code it prepares for the compiler is faulty
+
+There may be additional error messages from the underlying compiler that can help debug this situation.
+You can also attempt to run the target programming language compiler manually in your system 
+to make sure it is functional.
+
+## **Error: Unable to start _target_** {#c_process_failed_to_start}
+
+The dafny compiler prepares a representation of the Dafny program in the desired target programming
+language and then invokes the target language's compiler on those files as a subsidiary process.
+This error message indicates that this sub-process would not start;
+it gives some additional information about what the invoking process was told about the failure to start.
+
+Typically this error happens when the installation of the underlying compiler is not present or is incomplete,
+such as the proper files not having the correct permissions.
+
+<!-- DafnyCore/Compilers/SinglePassCompiler.cs -->
+
+## **Error: Error: '_feature_' is not an element of the _target_ compiler's UnsupportedFeatures set** {#c_unsupported_feature}
+
+This messages indicates two problems:
+- the given feature is not supported in the compiler for the target language but is present in the program,
+so the program will need to be revised to avoid this feature;
+- the feature is not listed in the in-tool list of unsupported features.
+The latter is an omission in the in-tool documentation. Please report this error message and the part of the
+program provoking it to the Dafny team's [issue tracker](https://github.com/dafny-lang/dafny/issues).
+
+## **Error: Abstract type ('_type_') with extern attribute requires a compile hint. Expected {:extern _hint_}** {#c_abstract_type_needs_hint}
+
+<!-- %check-run -->
+```dafny
+type {:extern } T
+```
+
+The type needs a name given to know which type in the target language it is associated with.
+
+## **Error: Abstract type (_name_) cannot be compiled; perhaps make it a type synonym or use :extern.** {#c_abstract_type_cannot_be_compiled}
+
+<!-- %check-run -->
+```dafny
+type T
+```
+
+[Abstract types](../DafnyRef/DafnyRef#sec-abstract-types) are declared like `type T`.
+They can be useful in programs where the particular characteristics of the type
+do not matter, such as in manipulating generic collections.
+Such programs can be verified, but in order to be compiled to something executable, 
+the type must be given an actual definition. 
+If the definition really does not matter, just give it a definition like 
+`type T = bool` or `type T = `int`.
+
+Note that some properties of a type an be indicated using a [type characteristic](../DafnyRef/DafnyRef#sec-type-characteristics).
+For example, [`type T(00)` indicates that the type `T` is non-empty](../DafnyRef/DafnyRef#sec-nonempty-types).
+
+## **Error: since yield parameters are initialized arbitrarily, iterators are forbidden by the --enforce-determinism option** {#c_iterators_are_not_deterministic}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+iterator Gen(start: int) yields (x: int)
+  yield ensures |xs| <= 10 && x == start + |xs| - 1
+{
+  var i := 0;
+  while i < 10 invariant |xs| == i {
+    x := start + i;
+    yield;
+    i := i + 1;
+  }
+}
+```
+
+The `--enforce-determinism` option requires a target program to be deterministic and predictable:
+there may be no program statements that have an arbitrary, even if deterministic, result.
+In an iterator, the yield parameters are initialized with arbitary values and can be read before 
+they are set with actual values, so there is a bit of nondeterminism.
+Consequently, iterators in general are not permitted along with `--enforce-determinism`.
+
+## **Error: iterator _name_ has no body** {#c_iterator_has_no_body}
+
+<!-- %check-run -->
+```dafny
+iterator Gen(start: int) yields (x: int)
+  yield ensures |xs| <= 10 && x == start + |xs| - 1
+```
+
+Programs containing iterators without bodies can be verified.
+However, a body-less iterator is an unchecked assumption (even if it is ghost).
+Consequently, like body-less functions and loops, dafny will not
+compile a program containing an iterator without a body.
+Furthermore, if the iterator is non-ghost, it cannot be compiled if it does not have a body.
+
+## **Error: since fields are initialized arbitrarily, constructor-less classes are forbidden by the --enforce-determinism option** {#c_constructorless_class_forbidden}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+class A { var j: int }
+```
+
+The `--enforce-determinism` option prohibits all non-deterministic operations in a Dafny program.
+One of these operations is the arbitrary values assigned to non-explicitly-initialized fields in a default constructor.
+Consequently an explicit constructor is required.
+
+## **Error: The method '_name_' is not permitted as a main method (_reason_).** {#c_method_may_not_be_main_method}
+
+<!-- %check-run %options --main-method:mmm -->
+```dafny
+method mmm(i: int) {}
+```
+
+To create an executable program, the compiler needs to know which is the method 
+to call to start the program, typically known as the 'main' method or main entry point. 
+`dafny` chooses such a method based on a few rules (cf. [details in the Dafny User Guide](#sec-user-guide-main)).
+
+But there are restrictions on which methods may be used as a main entry point.
+Most importantly
+- the method must take no input arguments or just one argument of type `seq<string>`
+- it must not be ghost
+- the method may be a class method, but then typically it is `static`
+
+Most commonly and for clarity, the intended main method is marked with the attribute `{:main}`.
+
+## **Error: Could not find the method named by the -Main option: _name_** {#c_could_not_find_stipulated_main_method}
+
+<!-- %check-run %options --main-method:m -->
+```dafny
+class A { static method mm() {} }
+```
+
+In the legacy command-line syntax, the main method may be specified on the command-line.
+When doing so, the name given must be a fully-qualified name.
+For instance. a method `m` in a (top-level) module `M` is named `M.m` 
+or in a class `C` in a module `M` is named `M.C.m`.
+This error message indicates that dafny does not recognize the name given as the name of a method.
+
+## **Error: More than one method is marked {:main}. First declaration appeared at _location_.** {#c_more_than_one_explicit_main_method}
+
+<!-- %check-run -->
+```dafny
+method {:main} M(s: seq<string>) {}
+method {:main} P() {}
+```
+
+When searching all the files in the program (including `include`d ones), dafny found more than one method marked
+with `{:main}`. The error location is that of one of the methods and the error refers to another.
+The tool does not know which one to use. 
+The solution is to remove the `{:main}` attribute from all but one.
+
+Note that entry points that are intended as unit tests can be marked with `{:test}` instead.
+
+## **Error: This method marked {:main} is not permitted as a main method (_name_).** {#c_method_not_permitted_as_main}
+
+<!-- %check-run -->
+```dafny
+method {:main} M(i: int) {}
+```
+
+Only some methods may be used as entry points and the one indicated may not.
+The principal restrictions are these ([more details in the Dafny User Guide](#sec-user-guide-main)):
+- the method must take no input arguments or just one argument of type `seq<string>`
+- it must not be ghost
+- the method may be a class method, but then typically it is `static`
+
+## **Error: More than one method is declared as 'Main'. First declaration appeared at _location_.** {#c_more_than_one_default_Main_method}
+
+<!-- %check-run -->
+```dafny
+method Main(s: seq<string>) {}
+class A {
+  static method Main() {}
+}
+```
+
+In the absence of any `{:main}` attributes, dafny chooses a method named `Main` as the main entry point.
+When searching all the files in the program (including `include`d ones), dafny found more than one method named `Main`.
+The error location is that of one of the methods and the error text refers to another.
+The solution is to mark one of them as `{:main}`.
+
+Note that entry points that are intended as unit tests can be marked with `{:test}` instead.
+
+## **Error: This method 'Main' is not permitted as a main method (_reason_).** {#c_Main_method_not_permitted}
+
+<!-- %check-run -->
+```dafny
+method Main(i: int) {}
+```
+
+If dafny finds no methods marked `{:main}`, it then looks for a method named `Main`
+to use as the starting point for the program.
+This error occurs if the `Main` method that is found
+does not qualify as a main entry point because it violates one or more of the [rules](#sec-user-guide-main),
+as given by the reason in the error message.
+
+## **Error: Function _name_ has no body so it cannot be compiled** {#c_function_has_no_body}
+
+<!-- %check-run -->
+```dafny
+function f(): int
+```
+
+The given function has no body, which is OK for verification, but not OK for compilation 
+--- the compiler does not know what content to give it.
+Even ghost functions must have bodies because body-less ghost functions are a form of unchecked assumptions.
+
+## **Error: Function _name_ must be compiled to use the {:test} attribute** {#c_test_function_must_be_compilable}
+
+<!-- %check-run -->
+```dafny
+ghost function {:test} f(): int { 42 }
+```
+
+Only compiled functions and methods may be tested using the `dafny test` command, 
+which tests everything marked with `{:test}`.
+However this function is a ghost function, and consequently cannot be tested during execution.
+If you want the function to be compiled,
+declare the function as a `function` instead of `ghost function` in Dafny 4 
+or as `function method` instead of `function` in Dafny 3.
+
+## **Error: Method _name_ is annotated with :synthesize but is not static, has a body, or does not return anything** {#c_invalid_synthesize_method}
+
+<!-- TODO: Need example? -->
+The `{:synthesize}` attribute is an experimental attribute used to create 
+a mock object for methods that do not have bodies.
+It is currently only available for compiling to C# and in conjunction with the Moq library.
+See the [reference manual section on {:synthesize}](../DafnyRef/DafnyRef#sec-synthesize-attr) for more detail.
+
+## **Error: Method _name_ has no body so it cannot be compiled** {#c_method_has_no_body}
+
+<!-- %check-run -->
+```dafny
+method m()
+```
+
+To be part of a compiled program, each method must have a body.
+Ghost methods are the equivalent of unchecked assumptions
+so they too must have bodies.
+
+## **Warning: assume statement has no {:axiom} annotation** {#r_assume_statement_without_axiom}
+
+<!-- %check-run -->
+```dafny
+method m(x: int) {
+  assume x > 0;
+}
+```
+
+
+## **Error: a forall statement without a body cannot be compiled** {#c_forall_statement_has_no_body}
+
+<!-- %no-check  FIX: now has multiple lines of error messages -->
+```dafny
+predicate P(i: int)
+method m(a: array<int>) {
+  forall x: int | P(x) 
+  var y := 3;
+}
+```
+
+A method may be parsed and verified even if a [forall statement](../DafnyRef/DafnyRef#sec-forall-statement) is missing a body. 
+However, the body must be supplied before the program can be compiled,
+even if the method is `ghost`. Body-less foralls in ghost methods are 
+unchecked assumptions.
+
+## **Error: a loop without a body cannot be compiled** {#c_loop_has_no_body}
+
+<!-- %no-check  FIX: now has multiple lines of error messages -->
+```dafny
+ghost method m(i: int) {
+  var x: int := i;
+  while x > 0 
+  x := 3;
+}
+```
+
+A method may be parsed and verified even if a loop is missing a body. 
+Note that a missing body is different than an empty body, which is just `{ }`.
+However, the body must be supplied before the program can be compiled,
+even if the method is `ghost`. 
+Body-less loops in ghost methods are similar to unchecked assumptions.
+
+## **Error: nondeterministic assignment forbidden by the --enforce-determinism option** {#c_nondeterminism_forbidden}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+method m() {
+  var x: int;
+  x := *;
+}
+```
+
+The `--enforce-determinism` option requires a target program to be deterministic and predictable:
+there may be no program statements that have an arbitrary, even if deterministic, result.
+Hence this 'assign any legal value' (`... := *`) statement is not permitted with `--enforce-determinism`.
+
+There are a few different forms of this kind of assignment:
+- `x := *;`
+- `x, y, z := 3, *, 42;`
+- `forall i | 0 <= i < a.Length { a[i] := *; }`
+
+<!-- TODO - test all 3 instances -->
+
+## **Error: assign-such-that statement forbidden by the --enforce-determinism option** {#c_assign_such_that_forbidden}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+method m() {
+  var x: int;
+  x :| x < 5;
+}
+```
+
+The `--enforce-determinism` option requires a target program to be deterministic and predictable:
+there may be no program statements that have an arbitrary, even if deterministic, result.
+Hence this 'assign any value that satisfies the predicate' (`:|`) statement is not permitted with `--enforce-determinism`,
+even if there is only one such possible value.
+(The tool does not try to determine whether there is just one value and
+whether there is a reasonable way to compute the value.)
+
+## **Error: this assign-such-that statement is too advanced for the current compiler; Dafny's heuristics cannot find any bound for variable '_name_'** {#c_assign_such_that_is_too_complex}
+
+<!-- TODO - needs example -->
+To compile an assign-such-that statement, Dafny needs to find some appropriate bounds for each variable.
+However, in this case the expression is too complex for Dafny's heuristics.
+
+## **Error: nondeterministic if statement forbidden by the --enforce-determinism option** {#c_nondeterministic_if_forbidden}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+method m() {
+var y: int;
+  if * { y:= 0; } else { y:= 1; }
+}
+```
+
+The `--enforce-determinism` option requires a target program to be deterministic and predictable:
+there may be no program statements that have an arbitrary, even if deterministic, result.
+Hence this 'non-deterministic if' (`if *`) statement is not permitted with `--enforce-determinism`.
+
+## **Error: binding if statement forbidden by the --enforce-determinism option** {#c_binding_if_forbidden}
+
+<!-- TODO: a binding guard is a ghost statement so how could this situation ever happen? -->
+
+<!-- %no-check %options --enforce-determinism -->
+```dafny
+method m(k: int) {
+  var i := k;
+  var y: int;
+  if i :| i < 5 {  } else { y := 1; }
+}
+```
+
+The `--enforce-determinism` option requires a target program to be deterministic and predictable:
+there may be no program statements that have an arbitrary, even if deterministic, result.
+The [`if` with a binding guard](../DafnyRef/DafnyRef#sec-binding-guards) (`if ... :| `) checks that the 
+given predicate is satisfiable by some value. If not, then the 'else' branch is executed;
+but if so, the 'then' branch is executed with an arbitrary value that satisifies the predicate.
+Because of this arbitrary selection, the if-with-binding-guard is not permitted with `--enforce-determinism`,
+even if there is exactly one value that satisfies the predicate.
+(The tool does not try to determine whether there is just one value or
+whether there is a reasonable way to compute a value.)
+
+## **Error: case-based if statement forbidden by the --enforce-determinism option** {#c_case_based_if_forbidden}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+method m(k: int) {
+  var i := k;
+  if
+  {
+    case i >= 0 => i := i - 1;
+    case i <= 0 => i := i + 1;
+  }
+}
+```
+
+The `--enforce-determinism` option requires a target program to be deterministic and predictable:
+there may be no program statements that have an arbitrary, even if deterministic, result.
+The case-based if statement allows the case guards to be evaluated in an arbitrary order and
+an arbitrary one of those found to be true is chosen to be executed.
+Hence the case-based if is not permitted with `--enforce-determinism`.
+
+To enforce a deterministic order to the evaluation, use a chain of if-then-else statements.
+
+## **Error: nondeterministic loop forbidden by the --enforce-determinism option** {#c_non_deterministic_loop_forbidden}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+method m(b: bool) decreases * {
+  while * 
+    decreases *
+  { }
+}
+```
+
+The `--enforce-determinism` option requires a target program to be deterministic and predictable:
+there may be no program statements that have an arbitrary, even if deterministic, result.
+Hence this 'non-deterministic while' (`while *`) statement is not permitted with `--enforce-determinism`.
+
+## **Error: case-based loop forbidden by the --enforce-determinism option** {#c_case_based_loop_forbidden}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+method m(k: int) {
+  var i := k;
+  while 
+    decreases if i < 0 then -i else i
+  {
+    case i > 0 => i := i - 1;
+    case i < 0 => i := i + 1;
+  }
+}
+```
+
+The `--enforce-determinism` option requires a target program to be deterministic and predictable:
+there may be no program statements that have an arbitrary, even if deterministic, result.
+The case-based while statement allows the case guards to be evaluated in an arbitrary order and
+an arbitrary one of those found to be true is chosen to be executed.
+Hence the case-based loop is not permitted with `--enforce-determinism`.
+
+To enforce a deterministic order to the evaluation, use a chain of if-then-else statements
+or series of `if` statements in which the then-branch ends in a continue statement.
+
+## **Error: compiler currently does not support assignments to more-than-6-dimensional arrays in forall statements** {#c_no_assignments_to_seven_d_arrays}
+
+<!-- TODO -- needs example and explanation -->
+_The documentation of this problem is in progress._
+
+## **Error: modify statement without a body forbidden by the --enforce-determinism option** {#c_bodyless_modify_statement_forbidden}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+class A { constructor A(){}}
+
+method m(k: int, o: A) 
+  modifies o
+{
+  var i := k;
+  modify o;
+}
+```
+
+The `--enforce-determinism` option requires a target program to be deterministic and predictable:
+there may be no program statements that have an arbitrary, even if deterministic, result.
+
+The [`modify` statement](../DafnyRef/DafnyRef#sec-modify-statement) allows the program to modify 
+the state of the given objects in an arbitrary way
+(though each field still has a legal value of its declared type).
+Hence such a statement is not permitted with `--enforce-determinism`.
+
+Note that a `modify` statement with a body is deprecated.
+
+## **Error: this let-such-that expression is too advanced for the current compiler; Dafny's heuristics cannot find any bound for variable '_name_'** {#c_let_such_that_is_too_complex}
+
+<!-- TODO: needs example and explanataion -->
+_The documentation of this problem is in progress._
+
+<!-- DafnyCore/Compilers/CSharp/Synthesizer-Csharp.cs -->
+
+## **Error: Post-conditions on function _function_ might be unsatisfied when synthesizing code for method _name_" {#c_possibly_unsatisfied_postconditions}
+
+<!-- TODO: Example? Say more? Better documentation? -->
+This message relates to mocking methods in C# with the Moq framework. 
+See the [reference manual section on {:synthesize}](../DafnyRef/DafnyRef#sec-synthesize-attr) for more detail.
+
+## **Error: Stubbing fields is not recommended (field _name_ of object _object_ inside method _method_)** {#c_stubbing_fields_not_recommended}
+
+<!-- TODO: Example? Say more? Better documentation? -->
+This message relates to mocking methods in C# with the Moq framework. 
+See the [reference manual section on {:synthesize}](../DafnyRef/DafnyRef#sec-synthesize-attr) for more detail.
+
+<!-- DafnyCore/Compilers/Cplusplus/Compiler-Cpp.cs -->
+
+ 
+## **Error: Abstract type ('_type_') with unrecognized extern attribute _attr_ cannot be compiled.  Expected {:extern compile_type_hint}, e.g., 'struct'.** {#c_abstract_type_cannot_be_compiled_extern}
+
+<!-- %check-run %options --enforce-determinism --target cpp --unicode-char:false -->
+```dafny
+type {:extern "class" } T
+```
+
+The C++ compiler must be told how to translate an abstract type. Typically the value of the extern attribute is "struct".
+Note that Dafny's C++ compiler is very preliminary, partial and experimental.
+
+<!-- DafnyCore/Compilers/Compiler-go.cs -->
+# Errors specific to the Go compiler
+
+## **Error: Unsupported field _name_ in extern trait** {#c_Go_unsupported_field}
+
+<!-- TODO: needs example and explanation -->
+_Documentation of the Go compiler errors is in progress._
+
+## **Error: Cannot convert from _type_ to _target-type_** {#c_Go_infeasible_conversion}
+
+<!-- TODO - may not be feasible -->
+_Documentation of the Go compiler errors is in progress._
diff --git a/v4.10.0/HowToFAQ/Errors-Compiler.template b/v4.10.0/HowToFAQ/Errors-Compiler.template
new file mode 100644
index 0000000..c6591bd
--- /dev/null
+++ b/v4.10.0/HowToFAQ/Errors-Compiler.template
@@ -0,0 +1,374 @@
+<!-- %default %useHeadings %check-ids -->
+
+<!-- The file Errors-Compiler.template is used along with Compiler-Errors.cs to produce Errors-Compiler.md.
+     Errors-Compiler.template holds the structure of the markdown file and the examples of each error message.
+     Compiler-Errors.cs holds the text of error explanations, so they are just in the source code rather than duplicated also in markdown.
+     The content of Errors-Compiler.template and Compiler-Errors.cs are tied together by the errorids.
+     Thus Errors-Compiler.md is a generated file that should not be edited itself.
+     The program make-error-catalog does the file generation.
+-->
+
+<!-- DafnyCore/Compilers/ExecutableBackend.cs -->
+
+## **Error: _process_ Process exited with exit code _code_** {#c_process_exit}
+
+<!-- INSERT-TEXT -->
+
+## **Error: Unable to start _target_** {#c_process_failed_to_start}
+
+<!-- INSERT-TEXT -->
+
+<!-- DafnyCore/Compilers/SinglePassCompiler.cs -->
+
+## **Error: Error: '_feature_' is not an element of the _target_ compiler's UnsupportedFeatures set** {#c_unsupported_feature}
+
+<!-- INSERT-TEXT -->
+
+## **Error: Abstract type ('_type_') with extern attribute requires a compile hint. Expected {:extern _hint_}** {#c_abstract_type_needs_hint}
+
+<!-- %check-run -->
+```dafny
+type {:extern } T
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: Abstract type (_name_) cannot be compiled; perhaps make it a type synonym or use :extern.** {#c_abstract_type_cannot_be_compiled}
+
+<!-- %check-run -->
+```dafny
+type T
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: since yield parameters are initialized arbitrarily, iterators are forbidden by the --enforce-determinism option** {#c_iterators_are_not_deterministic}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+iterator Gen(start: int) yields (x: int)
+  yield ensures |xs| <= 10 && x == start + |xs| - 1
+{
+  var i := 0;
+  while i < 10 invariant |xs| == i {
+    x := start + i;
+    yield;
+    i := i + 1;
+  }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: iterator _name_ has no body** {#c_iterator_has_no_body}
+
+<!-- %check-run -->
+```dafny
+iterator Gen(start: int) yields (x: int)
+  yield ensures |xs| <= 10 && x == start + |xs| - 1
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: since fields are initialized arbitrarily, constructor-less classes are forbidden by the --enforce-determinism option** {#c_constructorless_class_forbidden}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+class A { var j: int }
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: The method '_name_' is not permitted as a main method (_reason_).** {#c_method_may_not_be_main_method}
+
+<!-- %check-run %options --main-method:mmm -->
+```dafny
+method mmm(i: int) {}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: Could not find the method named by the -Main option: _name_** {#c_could_not_find_stipulated_main_method}
+
+<!-- %check-run %options --main-method:m -->
+```dafny
+class A { static method mm() {} }
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: More than one method is marked {:main}. First declaration appeared at _location_.** {#c_more_than_one_explicit_main_method}
+
+<!-- %check-run -->
+```dafny
+method {:main} M(s: seq<string>) {}
+method {:main} P() {}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: This method marked {:main} is not permitted as a main method (_name_).** {#c_method_not_permitted_as_main}
+
+<!-- %check-run -->
+```dafny
+method {:main} M(i: int) {}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: More than one method is declared as 'Main'. First declaration appeared at _location_.** {#c_more_than_one_default_Main_method}
+
+<!-- %check-run -->
+```dafny
+method Main(s: seq<string>) {}
+class A {
+  static method Main() {}
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: This method 'Main' is not permitted as a main method (_reason_).** {#c_Main_method_not_permitted}
+
+<!-- %check-run -->
+```dafny
+method Main(i: int) {}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: Function _name_ has no body so it cannot be compiled** {#c_function_has_no_body}
+
+<!-- %check-run -->
+```dafny
+function f(): int
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: Function _name_ must be compiled to use the {:test} attribute** {#c_test_function_must_be_compilable}
+
+<!-- %check-run -->
+```dafny
+ghost function {:test} f(): int { 42 }
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: Method _name_ is annotated with :synthesize but is not static, has a body, or does not return anything** {#c_invalid_synthesize_method}
+
+<!-- TODO: Need example? -->
+<!-- INSERT-TEXT -->
+
+## **Error: Method _name_ has no body so it cannot be compiled** {#c_method_has_no_body}
+
+<!-- %check-run -->
+```dafny
+method m()
+```
+
+<!-- INSERT-TEXT -->
+
+## **Warning: assume statement has no {:axiom} annotation** {#r_assume_statement_without_axiom}
+
+<!-- %check-run -->
+```dafny
+method m(x: int) {
+  assume x > 0;
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a forall statement without a body cannot be compiled** {#c_forall_statement_has_no_body}
+
+<!-- %no-check  FIX: now has multiple lines of error messages -->
+```dafny
+predicate P(i: int)
+method m(a: array<int>) {
+  forall x: int | P(x) 
+  var y := 3;
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a loop without a body cannot be compiled** {#c_loop_has_no_body}
+
+<!-- %no-check  FIX: now has multiple lines of error messages -->
+```dafny
+ghost method m(i: int) {
+  var x: int := i;
+  while x > 0 
+  x := 3;
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: nondeterministic assignment forbidden by the --enforce-determinism option** {#c_nondeterminism_forbidden}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+method m() {
+  var x: int;
+  x := *;
+}
+```
+
+<!-- INSERT-TEXT -->
+
+<!-- TODO - test all 3 instances -->
+
+## **Error: assign-such-that statement forbidden by the --enforce-determinism option** {#c_assign_such_that_forbidden}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+method m() {
+  var x: int;
+  x :| x < 5;
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: this assign-such-that statement is too advanced for the current compiler; Dafny's heuristics cannot find any bound for variable '_name_'** {#c_assign_such_that_is_too_complex}
+
+<!-- TODO - needs example -->
+<!-- INSERT-TEXT -->
+
+## **Error: nondeterministic if statement forbidden by the --enforce-determinism option** {#c_nondeterministic_if_forbidden}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+method m() {
+var y: int;
+  if * { y:= 0; } else { y:= 1; }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: binding if statement forbidden by the --enforce-determinism option** {#c_binding_if_forbidden}
+
+<!-- TODO: a binding guard is a ghost statement so how could this situation ever happen? -->
+
+<!-- %no-check %options --enforce-determinism -->
+```dafny
+method m(k: int) {
+  var i := k;
+  var y: int;
+  if i :| i < 5 {  } else { y := 1; }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: case-based if statement forbidden by the --enforce-determinism option** {#c_case_based_if_forbidden}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+method m(k: int) {
+  var i := k;
+  if
+  {
+    case i >= 0 => i := i - 1;
+    case i <= 0 => i := i + 1;
+  }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: nondeterministic loop forbidden by the --enforce-determinism option** {#c_non_deterministic_loop_forbidden}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+method m(b: bool) decreases * {
+  while * 
+    decreases *
+  { }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: case-based loop forbidden by the --enforce-determinism option** {#c_case_based_loop_forbidden}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+method m(k: int) {
+  var i := k;
+  while 
+    decreases if i < 0 then -i else i
+  {
+    case i > 0 => i := i - 1;
+    case i < 0 => i := i + 1;
+  }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: compiler currently does not support assignments to more-than-6-dimensional arrays in forall statements** {#c_no_assignments_to_seven_d_arrays}
+
+<!-- TODO -- needs example and explanation -->
+<!-- INSERT-TEXT -->
+
+## **Error: modify statement without a body forbidden by the --enforce-determinism option** {#c_bodyless_modify_statement_forbidden}
+
+<!-- %check-resolve %options --enforce-determinism -->
+```dafny
+class A { constructor A(){}}
+
+method m(k: int, o: A) 
+  modifies o
+{
+  var i := k;
+  modify o;
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: this let-such-that expression is too advanced for the current compiler; Dafny's heuristics cannot find any bound for variable '_name_'** {#c_let_such_that_is_too_complex}
+
+<!-- TODO: needs example and explanataion -->
+<!-- INSERT-TEXT -->
+
+<!-- DafnyCore/Compilers/CSharp/Synthesizer-Csharp.cs -->
+
+## **Error: Post-conditions on function _function_ might be unsatisfied when synthesizing code for method _name_" {#c_possibly_unsatisfied_postconditions}
+
+<!-- TODO: Example? Say more? Better documentation? -->
+<!-- INSERT-TEXT -->
+
+## **Error: Stubbing fields is not recommended (field _name_ of object _object_ inside method _method_)** {#c_stubbing_fields_not_recommended}
+
+<!-- TODO: Example? Say more? Better documentation? -->
+<!-- INSERT-TEXT -->
+
+<!-- DafnyCore/Compilers/Cplusplus/Compiler-Cpp.cs -->
+
+ 
+## **Error: Abstract type ('_type_') with unrecognized extern attribute _attr_ cannot be compiled.  Expected {:extern compile_type_hint}, e.g., 'struct'.** {#c_abstract_type_cannot_be_compiled_extern}
+
+<!-- %check-run %options --enforce-determinism --target cpp --unicode-char:false -->
+```dafny
+type {:extern "class" } T
+```
+
+<!-- INSERT-TEXT -->
+
+<!-- DafnyCore/Compilers/Compiler-go.cs -->
+# Errors specific to the Go compiler
+
+## **Error: Unsupported field _name_ in extern trait** {#c_Go_unsupported_field}
+
+<!-- TODO: needs example and explanation -->
+<!-- INSERT-TEXT -->
+
+## **Error: Cannot convert from _type_ to _target-type_** {#c_Go_infeasible_conversion}
+
+<!-- TODO - may not be feasible -->
+<!-- INSERT-TEXT -->
diff --git a/v4.10.0/HowToFAQ/Errors-Generic.md b/v4.10.0/HowToFAQ/Errors-Generic.md
new file mode 100644
index 0000000..d6a9379
--- /dev/null
+++ b/v4.10.0/HowToFAQ/Errors-Generic.md
@@ -0,0 +1,84 @@
+<!-- %default %useHeadings %check-ids -->
+
+<!-- FILE ./DafnyCore/Generic/Util.cs -->
+
+## **Warning: constructors no longer need 'this' to be listed in modifies clauses** {#g_deprecated_this_in_constructor_modifies_clause}
+
+<!-- %check-resolve-warn -->
+```dafny
+class A {
+  constructor () modifies this {}
+}
+```
+
+The purpose of a constructor is to initialize a newly allocated instance of a class.
+Hence it always modifies the `this` object.
+Previously it was required to list `this` in the modifies clause of the
+constructor to specify this property, but now `this` is always implicitly 
+a part of the modifies clause. 
+If the constructor only modifies its own object (as is the very common case)
+then no explicit modifies clause is needed at all.
+
+<!-- TODO - 2 instances -- needs an example using set display-->
+
+## **Error: \\u escape sequences are not permitted when Unicode chars are enabled** {#g_no_old_unicode_char}
+
+<!-- %check-resolve %options --unicode-char=true -->
+```dafny
+const c := '\u0000'
+```
+
+When using the option `--unicode-chars=true` all unicode characters are written with `\\U`, not `\\`.
+
+## **Error: \\U{X..X} escape sequence must have at most six hex digits** {#g_unicode_escape_must_have_six_digits}
+
+<!-- %check-resolve %options --unicode-char=true -->
+```dafny
+const c := '\U{00AABBCC}'
+```
+
+When using the option `--unicode-chars=true` all unicode characters are written with `\\U`, not `\\`.
+
+## **Error: \\U{X..X} escape sequence must be less than 0x110000** {#g_unicode_escape_is_too_large}
+
+<!-- %check-resolve %options --unicode-char=true -->
+```dafny
+const c := '\U{110011}'
+```
+
+Unicode characters (with `--unicode-chars=true`) are defined only up through `0x110000`.
+
+## **Error: \\U{X..X} escape sequence must not be a surrogate** {#g_unicode_escape_may_not_be_surrogate}
+
+<!-- %check-resolve %options --unicode-char=true -->
+```dafny
+const c := '\U{D900}'
+```
+
+The allowed range of unicode characters in Dafny excludes the surrogate characters in the range 0xD800 .. 0xE000.
+
+## **Error: \\U escape sequences are not permitted when Unicode chars are disabled** {#g_U_unicode_chars_are_disallowed}
+
+<!-- %check-resolve %options --unicode-char=false -->
+```dafny
+const c := '\U{D000}'
+```
+
+With `--unicode-chars=false`, all unicode characters are written with a lower-case `u`.
+
+
+<!-- FILE DafnyCore/DafnyOptions.cs -->
+
+## **Error: Option _name_ unrecognized or unsupported in ':options' attributes.** {#g_option_error}
+
+<!-- %check-resolve -->
+```dafny
+module {:options "ZZZ"} M {}
+```
+
+Dafny allows certain attributes to be defined for specific scopes (such as modules) in a program.
+Only a small set of attributes are permitted to be locally redefined.
+The error message is indicating that the given attribute is not one of them.
+Note that some attributes (e.g. `--unicode-char`) must be consistent across the whole program.
+
+
diff --git a/v4.10.0/HowToFAQ/Errors-Parser.md b/v4.10.0/HowToFAQ/Errors-Parser.md
new file mode 100644
index 0000000..9fc4c06
--- /dev/null
+++ b/v4.10.0/HowToFAQ/Errors-Parser.md
@@ -0,0 +1,1548 @@
+<!-- %check-resolve %default %useHeadings %check-ids -->
+
+<!-- The file Errors-Parser.template is used along with Parser-Errors.cs to produce Errors-Parser.md.
+     Errors-Parser.template holds the structure of the markdown file and the examples of each error message.
+     Parser-Errors.cs holds the text of error explanations, so they are just in the source code rather than duplicated also in markdown.
+     The content of Errors-Parser.template and Parser-Errors.cs are tied together by the errorids.
+     Thus Errors-Parser.md is a generated file that should not be edited itself.
+     The program make-error-catalog does the file generation.
+-->
+
+<!-- ./DafnyCore/Dafny.atg -->
+
+## **Error: Duplicate declaration modifier: abstract** {#p_duplicate_modifier}
+
+```dafny
+abstract abstract module M {}
+```
+
+No Dafny modifier, such as [`abstract`, `static`, `ghost`](https://dafny.org/latest/DafnyRef/DafnyRef#sec-declaration-modifiers) may be repeated
+Such repetition would be superfluous even if allowed.
+
+## **Error: a _decl_ cannot be declared 'abstract'** {#p_abstract_not_allowed}
+ 
+```dafny
+abstract const c := 4
+```
+
+Only modules may be declared abstract.
+
+## **Error: a function-by-method has a ghost function body and a non-ghost method body; a function-by-method declaration does not use the 'ghost' keyword.** {#p_no_ghost_for_by_method}
+
+```dafny
+ghost function f(): int
+{
+  42
+} by method {
+  return 42;
+}
+```
+
+Functions with a [by method](https://dafny.org/latest/DafnyRef/DafnyRef#sec-function-declarations)
+section to their body can be used both in ghost contexts and in non-ghost contexts; 
+in ghost contexts the function body is used and in compiled contexts
+the by-method body is used. The `ghost` keyword is not permitted on the
+declaration.
+
+## **Error: _decl_ cannot be declared 'ghost' (it is 'ghost' by default when using --function-syntax:3)** {#p_ghost_forbidden_default_3}
+
+```dafny
+module {:options "--function-syntax:3"} M {
+  ghost function f(): int { 42 }
+}
+```
+
+For versions prior to Dafny 4, the `function` keyword meant a ghost function
+and `function method` meant a non-ghost function. 
+From Dafny 4 on, `ghost function` means a ghost function and 
+`function` means a non-ghost function. 
+See the discussion [here](https://dafny.org/latest/DafnyRef/DafnyRef#sec-function-syntax) for
+a discussion of options to control this feature.
+
+## **Error: _decl_ cannot be declared 'ghost' (it is 'ghost' by default)** {#p_ghost_forbidden_default}
+
+```dafny
+module {:options "--function-syntax:4"} M {
+  ghost least predicate p()
+}
+```
+
+For versions prior to Dafny 4, the `function` keyword meant a ghost function
+and `function method` meant a non-ghost function. 
+From Dafny 4 on, `ghost function` means a ghost function and 
+`function` means a non-ghost function. 
+See the discussion [here](https://dafny.org/latest/DafnyRef/DafnyRef#sec-function-syntax) for
+a discussion of options to control this feature.
+
+## **Error: a _decl_ cannot be declared 'ghost'** {#p_ghost_forbidden}
+
+```dafny
+ghost module M {}
+```
+
+Only some kinds of declarations can be declared `ghost`, most often functions,
+fields, and local declarations.
+
+## **Error: a _decl_ cannot be declared 'static'** {#p_no_static}
+
+```dafny
+static module M {}
+```
+
+Only some kinds of declarations can be declared 'static', most often
+fields, constants, methods, and functions, and only within classes.
+Modules and the declarations within them are already always static.
+
+## **Error: a _decl_ cannot be declared 'opaque'** {#p_no_opaque}
+
+```dafny
+opaque module M {}
+```
+
+Only some kinds of declarations can be declared 'opaque':
+const fields and the various kinds of functions.
+
+## **Warning: attribute _attribute_ is deprecated {#p_deprecated_attribute}
+
+This attribute is obsolete and unmaintained. It will be removed from dafny in the future.
+
+## **Error: argument to :options attribute must be a literal string** {#p_literal_string_required}
+
+```dafny
+module N { const opt := "--function-syntax:4" }
+import opened N
+module {:options opt} M{}
+```
+
+The value of an options attribute cannot be a computed expression. It must be a literal string.
+
+## **Error: cannot declare identifier beginning with underscore** {#p_no_leading_underscore}
+
+```dafny
+function m(): (_: int) {0}
+```
+
+User-declared identifiers may not begin with an underscore;
+such identifiers are reserved for internal use.
+In match statements and expressions, an identifier
+that is a single underscore is used as a wild-card match.
+
+## **Error: sorry, bitvectors that wide (_number_) are not supported** {#p_bitvector_too_large}
+
+```dafny
+const b: bv2147483648
+```
+
+A bitvector type name is the characters 'bv' followed by a non-negative
+integer literal. However, dafny only supports widths up to the largest
+signed 32-bit integer (2147483647).
+
+## **Error: sorry, arrays of that many dimensions (_number_) are not supported** {#p_array_dimension_too_large}
+
+```dafny
+const a: array2147483648<int>
+```
+
+A multi-dimensional array type name is the characters 'array' followed by
+a positive integer literal. However, dafny only supports numbers of 
+dimensions up to the largest signed 32-bit integer (2147483647).
+In practice (as of v3.9.1) dimensions of more than a few can take 
+overly long to resolve ([Issue #3180](https://github.com/dafny-lang/dafny/issues/3180)).
+
+## **Error: There is no point to an export declaration at the top level** {#p_superfluous_export}
+
+```dafny
+export M
+method M() {}
+```
+
+Although all top-level declarations are contained in an implicit top-level module, there is no syntax to import that module.
+Such an import would likely cause a circular module dependency error.
+If the implicit module cannot be imported, there is no point to any export declarations inside the implicit module.
+
+## **Error: expected either a '{' or a 'refines' keyword here, found _token_** {#p_bad_module_decl}
+
+<!-- %check-resolve %first -->
+```dafny
+module M {}
+module N refine M {}
+```
+
+The [syntax for a module declaration](https://dafny.org/latest/DafnyRef/DafnyRef#sec-modules) is either `module M { ... }` or
+`module M refines N { ... }` with optional attributes after the `module` keyword.
+This error message often occurs if the `refines` keyword is misspelled.
+
+## **Warning: the _name_ token is the identifier for the export set, not an adjective for an extreme predicate** {#p_misplaced_least_or_greatest}
+
+<!-- %check-resolve-warn -->
+```dafny
+module M {
+  export
+  least predicate p()
+}
+```
+
+A `least` or `greatest` token between `export` and `predicate` is a bit ambiguous:
+it can be either the name of the export set or associated with the `predicate` declaration.
+The parser associates it with the `export`. To avoid this warning, do not put the
+`least` or `greatest` token on the same line as the `predicate` token.
+If you intend for the `least` to go with the predicate, change the order of the declarations.
+
+## **Error: no comma is allowed between provides and reveals and extends clauses in an export declaration** {#p_extraneous_comma_in_export}
+
+```dafny
+module M {
+  export A reveals b, a, reveals b
+  export B reveals b, a, provides b
+  export C provides b, a, reveals b
+  export D provides b, a, provides b
+  const a: int
+  const b: int
+}
+```
+
+An export declaration consists of one or more `reveals`, `provides`, and extends clauses. Each clause contains
+a comma-separated list of identifiers, but the clauses themselves are not separated by any delimiter.
+So in the example above, the comma after `a` is wrong in each export declaration. 
+This mistake is easy to make when the clauses are on the same line.
+
+## **Error: fields are not allowed to be declared at the module level; instead, wrap the field in a 'class' declaration** {#p_top_level_field}
+
+```dafny
+module M {
+  var c: int
+}
+```
+
+`var` declarations are used to declare mutable fields of classes, local variables in method bodies, and identifiers in let-expressions.
+But mutable field declarations are not permitted at the static module level, including in the (implicit) toplevel module.
+Rather, you may want the declaration to be a `const` declaration or you may want the mutable field to be declared in the body of a class.
+
+## **Warning: module-level functions are always non-instance, so the 'static' keyword is not allowed here** {#p_module_level_function_always_static}
+
+<!-- %check-resolve-warn -->
+```dafny
+static predicate p() { true }
+```
+
+All names declared in a module (outside a class-like entity) are implicitly `static`.
+Dafny does not allow them to be explictly, redundantly, declared `static`.
+
+## **Warning: module-level methods are always non-instance, so the 'static' keyword is not allowed here** {#p_module_level_method_always_static}
+
+<!-- %check-resolve-warn -->
+```dafny
+static method m() {}
+```
+
+All names declared in a module (outside a class-like entity) are implicitly `static`.
+Dafny does not allow them to be explictly, redundantly, declared `static`.
+
+## **Error: in refining a datatype, the '...' replaces the '=' token and everything up to a left brace starting the declaration of the body; only members of the body may be changed in a datatype refinement** {#p_bad_datatype_refinement}
+
+```dafny
+abstract module M { datatype D = A | B }
+module N refines M { datatype D = ... Y | Z }
+```
+
+There are limitations on refining a datatype, namely that the set of constructors cannot be changed.
+It is only allowed to add members to the body of the datatype.
+
+## **Error: datatype extending traits is not yet enabled by default; use --general-traits=datatype to enable it** {#p_general_traits_datatype}
+
+```dafny
+trait Trait { }
+datatype D extends Trait = A | B
+```
+
+A newtype extending a trait is not generally supported. The option --general-traits=full causes
+Dafny to allow them in the input, but is not recommended.
+
+## **Error: newtype extending traits is not fully supported (specifically, compilation of such types is not supported); to use them for verification only, use --general-traits=full** {#p_general_traits_full}
+
+```dafny
+trait Trait { }
+newtype N extends Trait = int
+```
+
+Use of traits as non-reference types is supported, but is not yet the default. Until it becomes the
+default, use --general--traits=datatype to enable it.
+
+## **Warning: module-level const declarations are always non-instance, so the 'static' keyword is not allowed here {#p_module_level_const_always_static}
+
+<!-- %check-resolve-warn -->
+```dafny
+static const i := 9
+```
+
+All names declared in a module (outside a class-like entity) are implicitly `static`.
+Dafny does not allow them to be explictly, redundantly, declared `static`.
+
+## **Error: expected an identifier after 'const' and any attributes** {#p_const_decl_missing_identifier}
+
+```dafny
+const c := 5
+const
+const d := 5
+```
+
+This error arises from a truncated declarations of a const field, namely just a const keyword.
+To correct the error, add an identifier and either or both a type and initializing expression (or remove the const keyword).
+
+## **Error: a const field should be initialized using ':=', not '='** {#p_bad_const_initialize_op}
+
+```dafny
+const c: int = 5
+```
+
+Dafny's syntax for initialization of const fields uses `:=`, not `=`.
+In Dafny, `=` is used only in type definitions.
+
+## **Error: a const declaration must have a type or a RHS value** {#p_const_is_missing_type_or_init}
+
+```dafny
+const i
+```
+
+A `const` declaration needs its type indicated by either an explicit type
+or a right-hand-side expression, whose type is then the type of the 
+declared identifier. 
+So use syntax either like `const i: int` or `const i := 5` (or both together).
+
+## **Error: in refining a newtype, the '...' replaces the '=' token and everything up to the left brace starting the declaration of the newtype body (if any); a newtype refinement may not change the base type of the newtype** {#p_misplaced_ellipsis_in_newtype}
+
+```dafny
+abstract module M { newtype T = int }
+module N refines M { newtype T = ... int }
+```
+
+There are limitations on refining a newtype, namely that the base type cannot be changed. You can change an abstract type into a newtype, however.
+When refining a newtype by adding a body, the ... stands in place of both the '=' and the base type.
+
+## **Error: formal cannot be declared 'ghost' in this context** {#p_output_of_function_not_ghost}
+
+```dafny
+twostate function p(i: int): (ghost r: int) { true }
+```
+
+The output of a predicate or function cannot be ghost.
+It is implicitly ghost if the function is ghost itself.
+
+## **Error: formal cannot be declared 'new' in this context** {#p_no_new_on_output_formals}
+
+```dafny
+method m(i: int) returns (new r: int) { r := 0; }
+```
+
+The `new` modifier only applies to input parameters.
+
+## **Error: formal cannot be declared 'nameonly' in this context** {#p_no_nameonly_on_output_formals}
+
+```dafny
+method m(i: int) returns (nameonly r: int) { r := 0; }
+```
+
+The `nameonly` modifier only applies to input parameters.
+
+## **Error: formal cannot be declared 'older' in this context** {#p_no_older_on_output_formals}
+
+```dafny
+method m(i: int) returns (older r: int) { r := 0; }
+```
+
+The `older` modifier only applies to input parameters.
+
+## **Error: a mutable field must be declared with a type** {#p_var_decl_must_have_type}
+
+```dafny
+class A {
+  var f
+  const g := 5
+}
+```
+
+Because a mutable field does not have initializer, it must have a type (as in `var f: int`).
+`const` declarations may have initializers; if they do they do not need an explicit type.
+
+## **Error: a mutable field may not have an initializer** {#p_no_init_for_var_field}
+
+```dafny
+class A {
+  var x: int := 6
+  var y: int, x: int := 6, z: int
+}
+```
+
+Dafny does not allow field declarations to have initializers. They are initialized in constructors.
+Local variable declarations (which also begin with `var`) may have initializers.
+
+## **Error: invalid formal-parameter name in datatype constructor** {#p_datatype_formal_is_not_id}
+
+```dafny
+datatype D = Nil | D(int: uint8) 
+```
+
+Datatype constructors can have formal parameters, declared with the usual syntax: 'name: type'.
+In datatype constructors the 'name :' is optional; one can just state the type.
+However, if there is a name, it may not be a typename.
+The formal parameter name should be a simple identifier that is not a reserved word.
+
+## **Error: use of the 'nameonly' modifier must be accompanied with a parameter name** {#p_nameonly_must_have_parameter_name}
+
+```dafny
+datatype D = D (i: int, nameonly int) {}
+```
+
+The parameters of a datatype constructor do not need to have names -- it is allowed to just give the type.
+However, if `nameonly` is used, meaning the constructor can be called using named parameters,
+then the name must be given, as in `datatype D = D (i: int, nameonly j: int) {}`
+
+More detail is given [here](https://dafny.org/latest/DafnyRef/DafnyRef#sec-parameter-bindings).
+
+## **Error: iterators don't have a 'returns' clause; did you mean 'yields'?** {#p_should_be_yields_instead_of_returns}
+
+```dafny
+iterator Count(n: nat) returns (x: nat) {
+  var i := 0;
+  while i < n {
+    x := i;
+    yield;
+    i := i + 1;
+  }
+}
+```
+
+An [iterator](https://dafny.org/latest/DafnyRef/DafnyRef#sec-iterator-types) is like a co-routine: 
+its control flow produces (yields) a value, but the execution continues from that point (a yield statement) to go on to produce the next value, rather than exiting the method. 
+To accentuate this difference, a `yield` statement is used to say when the next value of the iterator is ready, rather than a `return` statement.
+In addition, the declaration does not use `returns` to state the out-parameter, as a method would. Rather it has a `yields` clause.
+The example above is a valid example if `returns` is replaced by `yields`.
+
+## **Error: type-parameter variance is not allowed to be specified in this context** {#p_type_parameter_variance_forbidden}
+
+```dafny
+type List<T>
+method m<+T>(i: int, list: List<T>) {}
+method m<T,-U>(i: int, list: List<T>) {}
+```
+
+[Type-parameter variance](https://dafny.org/latest/DafnyRef/DafnyRef#sec-type-parameter-variance) is specified by a 
+`+`, `-`, `*` or `!` before the type-parameter name.
+Such designations are allowed in generic type declarations but not in generic method, function, or predicate declarations.
+
+<!-- There are two instances of this error, one for the first item in a type parameter list, and one for subsequent items -->
+
+## **Error: unexpected type characteristic: '000' should be one of == or 0 or 00 or !new** {#p_unexpected_type_characteristic}
+
+```dafny
+type T(000)
+```
+
+[Type characteristics](https://dafny.org/latest/DafnyRef/DafnyRef#sec-type-parameters), 
+indicated in parentheses after the type name, state properties of the otherwise uninterpreted or abstract type.
+The currently defined type characteristics are designated by `==` (equality-supporting), `0` (auto-initializable), `00` (non-empty), and `!new` (non-reference).
+
+## **Error: extra comma or missing type characteristic: should be one of == or 0 or 00 or !new** {#p_missing_type_characteristic}
+
+<!-- %no-check - TODO - fix to better error recovery after 4.0 -->
+```dafny
+type T(0,,0)
+```
+
+[Type characteristics](https://dafny.org/latest/DafnyRef/DafnyRef#sec-type-parameters), 
+state properties of the otherwise uninterpreted or abstract type.
+They are given in a parentheses-enclosed, comma-separated list after the type name.
+The currently defined type characteristics are designated by `==` (equality - supporting),
+`0` (auto - initializable), `00` (non - empty), and `!new` (non - reference).
+
+## **Error: illegal type characteristic: '_token_' should be one of == or 0 or 00 or !new** {#p_illegal_type_characteristic}
+
+```dafny
+type T(X)
+```
+
+[Type characteristics](https://dafny.org/latest/DafnyRef/DafnyRef#sec-type-parameters),
+indicated in parentheses after the type name, state properties of the otherwise uninterpreted or abstract type.
+The currently defined type characteristics are designated by `==` (equality - supporting),
+`0` (auto - initializable), `00` (non - empty), and `!new` (non - reference).
+Type characteristics are given in a parentheses-enclosed, comma-separated list after the type name.
+
+## **Warning: the old keyword 'colemma' has been renamed to the keyword phrase 'greatest lemma'** {#p_deprecated_colemma}
+
+<!-- %check-resolve-warn -->
+```dafny
+colemma m() ensures true {}
+```
+
+The adjectives `least` and `greatest` for lemmas and functions are more consistent with the nomenclature for coinduction.
+
+## **Warning: the old keyword phrase 'inductive lemma' has been renamed to 'least lemma'** {#p_deprecated_inductive_lemma}
+
+<!-- %check-resolve-warn -->
+```dafny
+inductive lemma m() ensures true {}
+```
+
+The adjectives `least` and `greatest` for lemmas and functions are more consistent with the nomenclature for coinduction.
+
+## **Error: constructors are allowed only in classes** {#p_constructor_not_in_class}
+
+```dafny
+module M {
+  constructor M() {}
+}
+```
+
+Constructors are methods that initialize class instances. That is, when a new instance of a class is being created, 
+using the `new` object syntax, some constructor of the class is called, perhaps a default anonymous one.
+So, constructor declarations only make sense within classes.
+
+## **Error: a method must be given a name (expecting identifier)** {#p_method_missing_name}
+
+```dafny
+method {:extern "M"} (i: int) {}
+```
+
+A method declaration always requires an identifier between the `method` keyword and the `(` that starts the formal parameter list.
+This is the case even when, as in the example above, a name is specified using `:extern`. The extern name is only used in the
+compiled code; it is not the name used to refer to the method in Dafny code
+
+## **Error: type of _k_ can only be specified for least and greatest lemmas** {#p_extraneous_k}
+
+```dafny
+lemma b[nat](i: int) { }
+```
+
+Least and greatest lemmas and predicates have a special parameter named `k`.
+Its type is specified in square brackets between the lemma/predicate name and the rest of the signature.
+The type may be either `nat` or `ORDINAL`.
+But this type is specified only for `least` and `greatest` constructs.
+
+## **Error: constructors cannot have out-parameters** {#p_constructors_have_no_out_parameters}
+
+```dafny
+class C {
+  constructor (i: int) returns (j: int) {}
+}
+```
+
+Constructors are used to initalize the state of an instance of a class.
+Thus they typically set the values of the fields of the class instance.
+Constructors are used in `new` object expressions, which return 
+a reference to the newly constructed object (as in `new C(42)`).
+There is no syntax to receive out-parameter values of a constructor
+and they may not be declared. 
+(This is similar to constructors in other programming languages, like Java.)
+
+## **Error: A 'reads' clause that contains '*' is not allowed to contain any other expressions** {#p_reads_star_must_be_alone}
+
+```dafny
+const a: object
+function f(): int
+  reads a, *
+{
+  0
+}
+```
+
+A reads clause lists the objects whose fields the function is allowed to read (or expressions 
+containing such objects). `reads *` means the function may read anything.
+So it does not make sense to list `*` along with something more specific.
+If you mean that the function should be able to read anything, just list `*`.
+Otherwise, omit the `*` and list expressions containing all the objects that are read.
+
+## **Error: out-parameters cannot have default-value expressions** {#p_no_defaults_for_out_parameters}
+
+```dafny
+method m(i: int) returns (j: int := 0) { return 42; }
+```
+
+Out-parameters of a method are declared (inside the parentheses after the `returns` keyword)
+with just an identifier and a type, separated by a colon. 
+No initializing value may be given. If a default value is needed, assign the out-parameter
+that value as a first statement in the body of the method.
+
+## **Error: set type expects only one type argument** {#p_set_only_one_type_parameter}
+
+```dafny
+const c: set<int,bool>
+```
+
+A `set` type has one type parameter, namely the type of the elements of the set.
+The error message states that the parser sees some number of type parameters different than one.
+The type parameters are listed in a comma-separated list between `<` and `>`, after the type name.
+
+## **Error: iset type expects only one type argument** {#p_iset_only_one_type_parameter}
+
+```dafny
+const c: iset<int,bool>
+```
+
+A `iset` type has one type parameter, namely the type of the elements of the set.
+The error message states that the parser sees some number of type parameters different than one.
+The type parameters are listed in a comma-separated list between `<` and `>`, after the type name.
+
+## **Error: multiset type expects only one type argument** {#p_multiset_only_one_type_parameter}
+
+```dafny
+const c: multiset<int,bool>
+```
+
+A `multiset` type has one type parameter, namely the type of the elements of the multiset.
+The error message states that the parser sees some number of type parameters different than one.
+The type parameters are listed in a comma-separated list between `<` and `>`, after the type name.
+
+## **Error: seq type expects only one type argument** {#p_seq_only_one_type_parameter}
+
+```dafny
+const c: seq<int,bool>
+```
+
+A `seq` type has one type parameter, namely the type of the elements of the sequence.
+The error message states that the parser sees some number of type parameters different than one.
+The type parameters are listed in a comma-separated list between `<` and `>`, after the type name.
+
+## **Error: map type expects two type arguments** {#p_map_needs_two_type_parameters}
+
+```dafny
+const m: map<int,bool,string>
+```
+
+A `map` type has two type parameters: the type of the keys and the type of the values.
+The error message states that the parser sees some number of type parameters different than two.
+
+## **Error: imap type expects two type arguments** {#p_imap_needs_two_type_parameters}
+
+```dafny
+const m: imap<int,bool,string>
+```
+
+A `imap` type has two type parameters: the type of the keys and the type of the values.
+The error message states that the parser sees some number of type parameters different than two.
+
+## **Error: arrow-type arguments may not be declared as 'ghost'** {#p_no_ghost_arrow_type_arguments}
+
+```dafny
+const f: (ghost int, bool) -> int
+```
+
+[Arrow types](../DafnyRef/DafnyRef#sec-arrow-types) are the types of functions in Dafny.
+They are designated with the arrow syntax, as shown in the example,
+except that the types used cannot be declared as ghost.
+
+## **Error: empty type parameter lists are not permitted** {#p_no_empty_type_parameter_list}
+
+<!-- Not reachable -->
+
+An instantiation of a generic type consists of the generic type name followed by a comma-separated
+list of type arguments enclosed in angle brackets. If a type has no type arguments, then
+there is no list and no angle brackets either.
+
+However, this particular error message is not reachable in the current parser. 
+If the message is seen, please report the code that caused it so that the bug or documentation can be corrected.
+
+## **Error: a formal [ ] declaration is only allowed for least and greatest predicates** {#p_formal_ktype_only_in_least_and_greatest_predicates}
+
+```dafny
+predicate p[nat]() { true }
+```
+
+A declaration of an extreme predicate includes a special formal 
+in addition to the regular parenthesis-enclosed list of formals.
+The type of that special formal is given in square brackets between the 
+predicate name and the opening parenthesis of the formals.
+The type may be either `nat` or `ORDINAL`.
+This special formal is not permitted in a regular (non-extreme) predicate.
+
+## **Warning: the old keyword phrase 'inductive predicate' has been renamed to 'least predicate' {#p_deprecated_inductive_predicate}
+
+<!-- %check-resolve-warn -->
+```dafny
+inductive predicate p()
+```
+
+The terms `least predicate` and `greatest predicate` are more descriptive of the relationship between them than was the old terminology.
+
+## **Warning: the old keyword 'copredicate' has been renamed to the keyword phrase 'greatest predicate' {#p_deprecated_copredicate}
+
+<!-- %check-resolve-warn -->
+```dafny
+copredicate p()
+```
+
+The terms `least predicate` and `greatest predicate` are more descriptive of the relationship between them than was the old terminology.
+
+## **Error: a 'by method' implementation is not allowed on a twostate _what_** {#p_no_by_method_in_twostate}
+
+```dafny
+class Cell { var data: int  constructor(i: int) { data := i; } }
+twostate predicate Increasing(c: Cell)
+  reads c
+{
+  old(c.data) <= c.data
+} by method {
+  return old(c.data) <= c.data;
+}
+```
+
+Two state functions and predicates are always ghost and do not have a compiled representation.
+Such functions use values from two different program (heap) states, which is not 
+something that can be implemented (at least with any degree of good performance) in conventional programming languages.
+
+Because there is no feasible compiled verion of a two-state function, it cannot have a `by method` block (which is always compiled).
+
+## **Error: a 'by method' implementation is not allowed on an extreme predicate** {#p_no_by_method_in_extreme_predicate}
+
+```dafny
+least predicate g() { 42 } by method { return 42; }
+```
+
+Least and greatest predicates are always ghost and do not have a compiled representation, 
+so it makes no sense to have a `by method` alternative implementation.
+
+## **Error: to use a 'by method' implementation with a _what_, declare _id_ using _what_, not '_what_ method'** {#p_no_by_method_for_ghost_function}
+
+```dafny
+function method m(): int {
+  42
+} by method {
+  return 42;
+}
+```
+
+`by method` constructs combine a ghost function (or predicate) with a non-ghost method.
+The two parts compute the same result, and are verified to do so.
+Uses of the function are verified using the function body, but the method body is used when the function is compiled.
+
+Thus the function part is always implicitly `ghost` and may not be explicitly declared `ghost`.
+
+## **Error: a _adjective_ _what_ is supported only as ghost, not as a compiled _what_** {#p_twostate_and_extreme_are_always_ghost}
+
+```dafny
+twostate function method m(): int {
+  42
+}
+```
+
+The `twostate`, `least`, and `greatest` functions and predicates are always ghost and cannot be compiled, so they cannot be
+declared as a `function method` (v3 only).
+
+## **Error: a _what_ is always ghost and is declared with '_what_'** {#p_old_ghost_syntax}
+
+```dafny
+module {:options "--function-syntax:experimentalPredicateAlwaysGhost"} M {
+  predicate method p() { true }
+}
+```
+
+This error only occurs when the `experimentalPredicateAlwaysGhost` option is chosen.
+It indicates that `predicates` are always ghost and cannot be declared with the (Dafny 3) syntax `predicate method`.
+- If you intend to predicate to be ghost, remove `method`.
+- If you intend the predicate to be non-ghost, you either cannot use `experimentalPredicateAlwaysGhost` or you should use `function` with a `bool` return type instead of `predicate`
+
+## **Error: the phrase '_what_ method' is not allowed when using --function-syntax:4; to declare a compiled predicate, use just 'predicate'** {#p_deprecating_predicate_method}
+
+```dafny
+module {:options "--function-syntax:4"} M {
+  predicate method f() { true }
+}
+```
+
+From Dafny 4 on, the phrases `function method` and `predicate method` are no
+longer accepted. Use `function` for compiled, non-ghost functions and
+`ghost function` for non-compiled, ghost functions, and similarly for predicates.
+See [the documentation here](https://dafny.org/latest/DafnyRef/DafnyRef#sec-function-syntax).
+
+## **Error: the phrase '_what_ method' is not allowed when using --function-syntax:4; to declare a compiled function, use just 'function'** {#p_deprecating_function_method}
+
+```dafny
+module {:options "--function-syntax:4"} M {
+  function method f(): int { 42 }
+}
+```
+
+From Dafny 4 on, the phrases `function method` and `predicate method` are no
+longer accepted. Use `function` for compiled, non-ghost functions and
+`ghost function` for non-compiled, ghost functions, and similarly for predicates.
+See [the documentation here](https://dafny.org/latest/DafnyRef/DafnyRef#sec-function-syntax).
+
+## **Error: there is no such thing as a 'ghost predicate method'** {#p_no_ghost_predicate_method}
+
+```dafny
+module {:options "--function-syntax:experimentalDefaultGhost"} M {
+  ghost predicate method f() { true }
+}
+```
+
+Pre-Dafny 4, a `function method` and a `predicate method` are explicitly
+non-ghost, compiled functions, and therefore cannot be declared `ghost` as well.
+If indeed the function or predicate is intended to be ghost, leave out `method`;
+ if it is intended to be non-ghost, leave out `ghost`.
+
+From Dafny 4 on, a ghost function is declared `ghost function` and a non-ghost function is declared `function` 
+and there is no longer any declaration of the form `function method`, and similarly for predicates. 
+
+See [the documentation here](../DafnyRef/DafnyRef#sec-function-syntax).
+
+## **Error: there is no such thing as a 'ghost function method'** {#p_no_ghost_function_method}
+
+```dafny
+module {:options "--function-syntax:experimentalDefaultGhost"} M {
+  ghost function method f(): int { 42 }
+}
+```
+
+Pre-Dafny 4, a `function method` and a `predicate method` are explicitly
+non-ghost, compiled functions, and therefore cannot be declared `ghost` as well.
+If indeed the function or predicate is intended to be ghost, leave out `method`;
+ if it is intended to be non-ghost, leave out `ghost`.
+
+From Dafny 4 on, a ghost function is declared `ghost function` and a non-ghost function is declared `function` 
+and there is no longer any declaration of the form `function method`, and similarly for predicates. 
+
+See [the documentation here](../DafnyRef/DafnyRef#sec-function-syntax).
+
+## **Error: a _what_ must be declared as either 'ghost _what_' or '_what_ method' when using --function-syntax:migration3to4** {#p_migration_syntax}
+
+```dafny
+module {:options "--function-syntax:migration3to4"} M {
+  function f(): int { 42 }
+}
+```
+
+This error occurs only when using `migration3to4`. With this option, ghost functions are declared using `ghost function` and compiled functions using `function method`.
+Change `function` in the declaration to one of these.
+
+## **Error: formal cannot be declared 'ghost' in this context** {#p_no_ghost_formal}
+
+```dafny
+ghost predicate p(ghost i: int) { true }
+```
+
+A ghost predicate or function effectively has all ghost formal parameters, so they cannot be declared ghost in addition.
+
+## **Error: 'decreases' clauses are meaningless for least and greatest predicates, so they are not allowed** {#p_no_decreases_for_extreme_predicates}
+
+```dafny
+least predicate m(i: int)
+  decreases i
+{
+  true
+}
+```
+
+Least and greatest predicates are not checked for termination. In fact, unbounded recursion is part of being coinductive.
+Hence `decreases` clauses are inappropriate and not allowed.
+
+## **Error: _name_ return type should be bool, got _type_** {#p_predicate_return_type_must_be_bool}
+
+```dafny
+predicate b(): (r: boolean) { 4 }
+```
+
+A predicate is a function that returns `bool`. The return type here is something else.
+If you mean to have a non-`bool` return type, use `function` instead of `predicate`.
+
+## **Error: _name_s do not have an explicitly declared return type; it is always bool. Unless you want to name the result: ': (result: bool)'** {#p_no_return_type_for_predicate}
+
+<!-- %no-check TODO - this example crashes -->
+```dafny
+predicate p(): bool { true } 
+```
+
+A `predicate` is simply a `function` that returns a `bool` value.
+Accordingly, the type is (required to be) omitted, unless the result is being named.
+So `predicate p(): (res: bool) { true }` is permitted.
+
+## **Error: A '*' expression is not allowed here** {#p_no_wild_expression}
+
+```dafny
+function m(i: int): int
+  decreases *
+{
+  42
+}
+```
+
+A method or loop with a `decreases *` clause is not checked for termination.
+This is only permitted for non-ghost methods and loops.
+Insert an actual decreases expression.
+
+## **Error: A '*' frame expression is not permitted here** {#p_no_wild_frame_expression}
+
+```dafny
+iterator Gen(start: int) yields (x: int)
+  reads *
+{
+  var i := 0;
+  while i < 10 invariant |xs| == i {
+    x := start + i;
+    yield;
+    i := i + 1;
+  }
+}
+```
+
+A `reads *` clause means the reads clause allows the functions it specifies to read anything.
+Such a clause is not allowed in an iterator specification.
+Insert a specific reads expression.
+
+## **Warning: _kind_ refinement is deprecated** {#p_deprecated_statement_refinement}
+
+<!-- TODO -->
+
+Statement refinement has been deprecated. Refinement is restricted to changing declarations, not bodies of methods or functions.
+
+## **Error: invalid statement beginning here (is a 'label' keyword missing? or a 'const' or 'var' keyword?)** {#p_invalid_colon}
+
+```dafny
+method m(n: nat) {
+  x: while (0 < n) { break x; }
+}
+```
+
+In this situation the parser sees the identifier (x) and the following colon.
+This is not a legal start to a statement. Most commonly either
+* a `var` or `const` keyword is missing, and the `x:` is the beginning of a declaration, or
+* a `label` keyword is missing and the identifier is the label for the statement that follows.
+(The second error is somewhat common because in C/C++ and Java, there is no keyword introducing a label, just the identifier and the colon.)
+
+## **Error: An initializing element display is allowed only for 1-dimensional arrays** {#p_initializing_display_only_for_1D_arrays}
+
+```dafny
+method m() {
+  var a := new int[2,2] [1,2,3,4];
+}
+```
+
+One-dimensional arrays can be initialized like `var s := new int[][1,2,3,4];`,
+but multi-dimensional arrays cannot. The alternatives are to initialize the array
+in a loop after it is allocated, or to initialize with a function, as in
+`var a:= new int[2,2]((i: int, j: int)=>i+j)`.
+
+## **Error: a local variable should be initialized using ':=', ':-', or ':|', not '='** {#p_no_equal_for_initializing}
+
+```dafny
+method m() {
+  var x = 5;
+}
+```
+
+Local variables are initialized with `:=` (and sometimes with `:-` or `:|`), but not with `=`.
+In Dafny `=` is used only in type definitions.
+
+## **Error: LHS of assign-such-that expression must be variables, not general patterns** {#p_no_patterns_and_such_that}
+
+```dafny
+datatype D = D(x: int, y: int)
+method m() {
+  var D(x,y) :| x + y == 5;
+}
+```
+
+The `:|` syntax is called _assign-such-that_: the variables on the left-hand-side are initialized or assigned
+some non-deterministic values that satisfy the predicate on the right-hand-side.
+
+However, Dafny only allows a list of simple variables on the left, not datatype deconstructor patterns, as seen here.
+
+## **Error: 'modifies' clauses are not allowed on refining loops** {#p_no_modifies_on_refining_loops}
+
+<!-- TODO _ example -->
+
+_Refining statements, including loops, are deprecated._
+
+## **Error: Expected 'to' or 'downto'** {#p_to_or_downto}
+
+```dafny
+method m(n: nat) {
+  for i := n DownTo 0 {}
+}
+```
+
+A for loop can express a computation to be performed for each value of a _loop index_.
+In Dafny, the loop index is an int-based variable that is either 
+- incremented up from a starting value to just before an ending value: `3 to 7` means 3, 4, 5, and 6
+- or decremented from just below a starting value down to an ending value: `7 downto 3` means 6, 5, 4, and 3.
+
+The contextual keywords `to` and `downto` indicate incrementing and decrementing, respectively.
+No other words are allowed here, including writing them with different case.
+
+These two words have special meaning only in this part of a for-loop; they are not reserved words elsewhere.
+That is, the code
+<!-- %check-resolve %exit 0 %nomsg -->
+```dafny
+method m() {
+  var to: int := 6;
+  var downto: int := 8;
+  for to := to to downto {}
+}
+```
+is legal, but not at all recommended.
+
+## **Error: A 'decreases' clause that contains '*' is not allowed to contain any other expressions** {#p_no_decreases_expressions_with_star}
+
+```dafny
+method f(n: int) returns (r: int)
+  decreases *, n
+{
+  r := if n == 0 then n else -1-f(n-1);
+}
+```
+
+A `decreases` clause provides a metric that must decrease from one call to the next, 
+in order to assure termination of a sequence of recursive calls. 
+In loops it assures termination of the loop iteration.
+
+`decreases *` means to skip the termination check.
+So it does not make sense to both list a metric and to list '*'.
+Use one or the other.
+
+## **Error: expected either 'by' or a semicolon following the assert expression** {#p_assert_needs_by_or_semicolon}
+
+```dafny
+method m() {
+  assert true
+}
+```
+
+Assert statements, like all statements, end in either a semicolon or a block. Most assert statements end in semicolons,
+but an assert-by statement has the form `assert expr by { ... }` where the by-block contains statements such as lemma calls
+that assist in proving the validity of the asserted expression.
+
+## **Warning: a forall statement with no bound variables is deprecated; use an 'assert by' statement instead** {#p_deprecated_forall_with_no_bound_variables}
+
+<!-- TODO -->
+
+## **Warning: the modify statement with a block statement is deprecated** {#p_deprecated_modify_statement_with_block}
+
+<!-- TODO-->
+
+## **Error: the main operator of a calculation must be transitive** {#p_calc_operator_must_be_transitive}
+
+```dafny
+lemma abs(a: int, b: int, c: int)
+  ensures a + b + c == c + b + a
+{
+  calc != {
+    a + b + c;
+    a + c + b;
+    c + a + b;
+  }
+}
+```
+
+A [calc statement](../DafnyRef/DafnyRef#sec-calc-statement)
+contains a sequence of expressions interleaved by operators.
+Such a sequence aids the verifier in establishing a desired conclusion.
+But the sequence of operators must obey certain patterns similar to chaining expressions.
+In this case a default operator is stated (the `!=` between `calc` and `{`).
+This default operator is the implicit operator between each consecutive pair of expressions
+in the body of the calc statement.
+
+But the operator has to be transitive: `!=` is not allowed; `==`, `<`, `<=`, '>' and '>=' are allowed.
+
+## **Error: this operator cannot continue this calculation** {#p_invalid_calc_op_combination}
+
+```dafny
+lemma abs(a: int, b: int, c: int)
+  ensures a + b + c == c + b + a
+{
+  calc {
+    a + b + c;
+    !=
+    a + c + b;
+    !=
+    c + a + b;
+  }
+}
+```
+
+A [calc statement](../DafnyRef/DafnyRef#sec-calc-statement)
+contains a sequence of expressions interleaved by operators.
+Such a sequence aids the verifier in establishing a desired conclusion.
+But the sequence of operators must obey certain patterns similar to chaining expressions.
+
+In particular, this error message is complaining that it sees an unacceptable operator.
+In this case, the reason is that the sequence may contain only one `!=` operator;
+another reason causing this message would be a combination of `<` and `>` operators.
+
+## **Error: a calculation cannot end with an operator** {#p_calc_dangling_operator}
+
+```dafny
+lemma abs(a: int, b: int, c: int)
+  ensures a + b + c == c + b + a
+{
+  calc {
+    a + b + c;
+    ==
+  }
+}
+```
+
+A [calc statement](../DafnyRef/DafnyRef#sec-calc-statement)
+contains a sequence of expressions interleaved by operators.
+Such a sequence aids the verifier in establishing a desired conclusion.
+But the sequence must begin and end with (semicolon-terminated) expressions.
+
+This error message is complaining that it sees an operator ending the sequence.
+This may be because there is no following expression or that the parser 
+does not recognize the material after the last operator as a legal ending expression.
+
+## **Error: Calls with side-effects such as constructors are not allowed in expressions.** {#p_no_side_effects_in_expressions}
+
+```dafny
+class A { function f(): int { 0 } }
+const c := (new A).f()
+```
+
+Dafny expressions may not have side-effects. This prohibits both assignments to local variables and any
+changes to the heap. Thus method and constructor calls may not occur in expressions.
+This check is syntactic, so even methods that do not modify anything are not permitted in expressions.
+
+## **Error: Ambiguous use of ==> and <==. Use parentheses to disambiguate.** {#p_ambiguous_implies}
+
+```dafny
+const b := true <== false ==> true
+```
+
+The `==>` and `<==` operators have the same precedence but do not associate with each other.
+You must use parentheses to show how they are grouped. Write `p ==> q <== r` as either
+`(p ==> q) <== r` or `p ==> (q <== r)`.
+
+In contrast, `p ==> q ==> r` is `p ==> (q ==> r)` and
+`p <== q <== r` is `(p <== q) <== r`.
+
+See [this section](../DafnyRef/DafnyRef#sec-implication-and-reverse-implication) for more information.
+
+## **Error: Ambiguous use of ==> and <==. Use parentheses to disambiguate.** {#p_ambiguous_implies_2}
+
+```dafny
+const b := true ==> false <== true
+```
+
+The `==>` and `<==` operators have the same precedence but do not associate with each other.
+You must use parentheses to show how they are grouped. Write `p ==> q <== r` as either
+`(p ==> q) <== r` or `p ==> (q <== r)`.
+
+In contrast, `p ==> q ==> r` is `p ==> (q ==> r)` and
+`p <== q <== r` is `(p <== q) <== r`.
+
+See [this section](../DafnyRef/DafnyRef#sec-implication-and-reverse-implication) for more information.
+
+<!-- There are two instances of this error, one in which the first operator is ==> and one in which it is <== -->
+
+## **Error: Ambiguous use of && and ||. Use parentheses to disambiguate.** {#p_ambiguous_and_or}
+
+```dafny
+const b := true && false || true
+```
+
+The `&&` and `||` operators have the same precedence but do not associate with each other.
+You must use parentheses to show how they are grouped. Write `p && q || r` as either
+`(p && q) || r` or `p && (q || r)`.
+
+## **Error: chaining not allowed from the previous operator** {#p_invalid_equal_chaining}
+
+```dafny
+const c := 1 in {1} == true
+```
+
+[Chained operations](../DafnyRef/DafnyRef#sec-basic-types)
+are a sequence of binary operations without parentheses: _a op b op c op d op e_.
+But there are limitations on which operators can be in one chain together.
+
+In particular, the relational operators `in` and `!in` may not be part of a chain.
+Use parentheses as necessary to group the operations.
+
+## **Error: a chain cannot have more than one != operator** {#p_invalid_notequal_chaining}
+
+```dafny
+const c := 1 != 2 != 3
+```
+
+[Chained operations](../DafnyRef/DafnyRef#sec-basic-types)
+are a sequence of binary operations without parentheses: _a op b op c op d op e_.
+But there are limitations on which operators can be in one chain together.
+
+In particular for this error message, one cannot have chains that include more than one `!=` operator.
+
+## **Error: this operator cannot continue this chain** {#p_invalid_operator_in_chain}
+
+```dafny
+const c := {} !! {} != {}
+```
+
+[Chained operations](../DafnyRef/DafnyRef#sec-basic-types)
+are a sequence of binary operations without parentheses: _a op b op c op d op e_.
+But there are limitations on which operators can be in one chain together.
+
+In particular for this error message, the designated operator is not permitted to extend the existing chain.
+
+## **Error: this operator chain cannot continue with an ascending operator** {#p_invalid_descending_chaining}
+
+```dafny
+const c := 2 > 3 < 4
+```
+
+[Chained operations](../DafnyRef/DafnyRef#sec-basic-types)
+are a sequence of binary operations without parentheses: _a op b op c op d op e_.
+But there are limitations on which operators can be in one chain together.
+
+In particular for this error message, one cannot have chains that include both
+less-than operations (either `<` or `<=`) and greater-than operations (either `>` or `>=`).
+
+## **Error: this operator chain cannot continue with a descending operator** {#p_invalid_ascending_chaining}
+
+```dafny
+const c := 2 < 3 > 4
+```
+
+[Chained operations](../DafnyRef/DafnyRef#sec-basic-types)
+are a sequence of binary operations without parentheses: _a op b op c op d op e_.
+But there are limitations on which operators can be in one chain together.
+
+In particular for this error message, one cannot have chains that include both
+less-than operations (either `<` or `<=`) and greater-than operations (either `>` or `>=`).
+
+## **Error: can only chain disjoint (!!) with itself** {#p_invalid_disjoint_chaining}
+
+```dafny
+const c := 2 < 3 !! 4
+```
+
+[Chained operations](../DafnyRef/DafnyRef#sec-basic-types)
+are a sequence of binary operations without parentheses: _a op b op c op d op e_.
+But there are limitations on which operators can be in one chain together.
+
+In particular for this error message, a disjoint operator (`!!`) can appear in a chain
+only if all the operators in the chain are disjoint operators.
+
+As described [here](../DafnyRef/DafnyRef#sec-collection-types),
+`a !! b !! c !! d` means that `a`, `b`, `c`, and `d` are all mutually disjoint
+(which is a different rewriting of the chain than for other operations).
+
+## **Error: this operator cannot be part of a chain** {#p_operator_does_not_chain}
+
+```dafny
+const c := 2 < 3 in 4
+```
+
+The operators `in` and `!in` are relational operators, but they may not occur in a chain.
+Use parentheses if necessary. Such expressions are usually not type-correct in any case.
+
+## **Error: invalid relational operator** {#p_bang_not_a_relational_op}
+
+```dafny
+const s : set<int>
+const r := s ! s
+```
+
+The parser is expecting a relational expression, that is, two expressions separated by a relational operator
+(one of `==`, `!=`, `>`, `>=`, `<`, `<=`, `!!`, `in`, `!in`). But the parser saw just a `!` ,
+which could be the beginning of `!=`, `!!`, or `!in`, but is not continued as such.
+So perhaps there is extraneous white space or something else entirely is intended.
+
+## **Error: invalid relational operator (perhaps you intended \"!!\" with no intervening whitespace?)** {#p_invalid_relational_op}
+
+```dafny
+const s : set<int>
+const r := s ! ! s
+```
+
+The parser is expecting a relational expression, that is, two expressions separated by a relational operator
+(one of `==`, `!=`, `>`, `>=`, `<`, `<=`, `!!`, `in`, `!in`). But the parser saw two `!` separated by
+white space. This is possibly meant to be a `!!` operator, but it could also just be an illegal expression.
+
+## **Error: Ambiguous use of &, |, ^. Use parentheses to disambiguate.** {#p_ambiguous_bitop}
+
+```dafny
+const i: int := 5 | 6 & 7
+```
+
+The bit-operators `&`, `|`, and `^` have the same precedence but do not associate with each other.
+So if they are used within the same expression, parentheses have to be used to show how they
+are grouped. The example `5 | 6 & 7` should be written as either `(5 | 6) & 7` or `5 | (6 & 7)`.
+
+## **Error: too many characters in character literal** {#p_invalid_char_literal}
+
+<!-- %check-resolve %options --allow-deprecation --unicode-char:false -->
+```dafny
+const c := '🚀'
+```
+
+A character literal can only contain a single value of the built-in char type.
+When --unicode-char is disabled, the char type represents UTF-16 code units, 
+so this means a character literal can only contain a character that can be represented
+with a single such unit, i.e. characters in the Basic Multilingual Plane. 
+The rocket ship emoji ('🚀'), for example, is encoded with two surrogate code points.
+
+This can be fixed by enabling the --unicode-char mode, as that defines char as any
+Unicode scalar value, but be aware that it may change the meaning of your program.
+
+More detail is given [here](../DafnyRef/DafnyRef#sec-character-constant-token) and [here](../DafnyRef/DafnyRef#sec-escaped-characters).;
+
+## **Error: binding not allowed in parenthesized expression** {#p_no_parenthesized_binding}
+
+```dafny
+method m() {
+  var c := ( 4 := 5 );
+}
+```
+
+Bindings of the form `x := y` are used in map-display expressions, in which case they are enclosed in square brackets,
+not parentheses. `var c := ( 4 := 5 )` should be `var c := map[ 4 := 5 ]`.
+
+## **Error: A forming expression must be a multiset** {#p_must_be_multiset}
+
+A set/iset/multiset display expression can have two forms. 
+One form is a list of values enclosed by curly braces: `var c := multiset{1,2,2,3}`.
+The other appears as a conversion operation: `var c := multiset(s)`.
+However, this second form can only be used to convert a set to a multiset.
+
+In the current parser, however, this error message is unreachable,
+so if it appears please report the error.
+The tests that check for this error case are already known to be false by previous testing.
+
+## **Error: seq type expects only one type argument** {#p_seq_display_has_one_type_argument}
+
+```dafny
+const c := seq<int,int>(5, i=>i)
+```
+
+The built-in `seq` (sequence) type takes one type parameter, which in some situations is inferred.
+That type parameter is the type of the sequence elements.
+
+## **Error: a map comprehension with more than one bound variable must have a term expression of the form 'Expr := Expr'** {#p_map_comprehension_must_have_term_expression}
+
+```dafny
+const s := map x, y  | 0 <= x < y < 10 :: x*y
+```
+
+A map comprehension defines a map, which associates a value with each member of a set of keys.
+The full syntax for a map comprehension looks like `map x | 0 <= x < 5 :: x*2 := x*3`
+which maps the keys `0, 2, 4, 6, 8` to the values `0, 3, 6, 9, 12` respectively.
+
+One can abbreviate the above syntax to expressions like `map x | 0 <= x < 5 :: x*3`,
+which is equivalent to `map x | 0 <= x < 5 :: x := x*3`. The missing expression before
+the `:=` is just the declared identifier.
+
+One can also have multiple variables involved as in `map x, y | 0 < x < y < 5 :: 10*x+y := 10*y+x`,
+which defines the mappings `(12=>21, 13=>31, 14=>41, 23=>32, 24=>42, 34=>43)`.
+
+But when there are multiple variables, one cannot abbreviate the `:=` syntax with just its right-hand expression,
+because it is not clear what the left-hand expression should be. 
+
+Incorrect text like `const s := map x, y | 0 <= x < y < 10 :: x*y` should be written
+as `const s := map x, y | 0 <= x < y < 10 :: f(x,y) := x*y` for some `f(x,y)` that gives
+a unique value for each pair of `x,y` permitted by the range expression (here `0 <= x < y < 10`).
+
+## **Error: LHS of let-such-that expression must be variables, not general patterns** {#p_no_patterns_in_let_such_that}
+
+```dafny
+datatype Data = D(i: int, j: int)
+const c: int := var Data(d,dd) :| d == 10 && dd == 11; d
+```
+
+The let-such-that expression initializes a variable to some value satisfying a given condition.
+For example, one might write `const cc := var x: int :| x <= 10; x`,
+where `cc` would get some value `x` satisfying `x < 10`.
+
+For simplicity, however, Dafny requires the variables being initialized to be simple names, not patterns.
+
+## **Error: a variable in a let expression should be initialized using ':=', ':-', or ':|', not '='** {#p_no_equal_in_let_initialization}
+
+```dafny
+method m() {
+  var x := var y = 5; y*y;
+}
+```
+
+Like local variables, let variables are initialized with `:=` (and sometimes with `:-` or `:|`), but not with `=`.
+In Dafny `=` is used only in type definitions.
+
+## **Error: ':-' can have at most one left-hand side** {#p_elephant_has_one_lhs}
+
+```dafny
+datatype Outcome<T> = 
+  | Success(value: T) 
+  | Failure(error: string) 
+{ predicate IsFailure() { this.Failure? } 
+  function PropagateFailure<U>(): Outcome<U> 
+    requires IsFailure() 
+  { Outcome<U>.Failure(this.error) // this is Outcome<U>.Failure(...) 
+  }
+ 
+  function Extract(): T requires !IsFailure() { this.value } 
+}
+
+function m(): Outcome<int> { Outcome<int>.Success(0) }
+function test(): Outcome<int> {
+  var rr, rrr :- m(); Outcome.Success(1) 
+}
+```
+
+Within a function, the `:-` operator is limited to a most one left-hand-side and exactly one-right-hand-side.
+
+## **Error: ':-' must have exactly one right-hand side** {#p_elephant_has_one_rhs}
+
+```dafny
+datatype Outcome<T> = 
+  | Success(value: T) 
+  | Failure(error: string) 
+{ predicate IsFailure() { this.Failure? } 
+  function PropagateFailure<U>(): Outcome<U> 
+    requires IsFailure() 
+  { Outcome<U>.Failure(this.error) // this is Outcome<U>.Failure(...) 
+  }
+ 
+  function Extract(): T requires !IsFailure() { this.value } 
+}
+
+function m(): Outcome<int> { Outcome<int>.Success(0) }
+function test(): Outcome<int> {
+  var rr :- m(), 44; Outcome.Success(1) 
+}
+```
+
+This error only occurs when using the elephant operator `:-` in conjunction with
+[failure-compatible types](../DafnyRef/DafnyRef#sec-failure-compatible-types)
+and in the context of a let-or-fail expression.
+
+In contrast to the let expression (`:=`), which allows multiple parallel initializations, 
+the let-or-fail expression (`:-`) is implemented to
+only allow at most a single left-hand-side and exactly one right-hand-side.
+
+## **Error: a set comprehension with more than one bound variable must have a term expression** {#p_set_comprehension_needs_term_expression}
+
+```dafny
+const s := set x, y | 0 <= x < y < 10 
+```
+
+A set comprehension (1) declares one or more variables, (2) possibly states some limits on those variables, 
+and (3) states an expression over those variables that are the values in the set.
+
+If there is no expression, then the expression is taken to be just the _one_ declared variable.
+For instance one could write `set b: bool`, which is equivalent to `set b: bool :: b` and would be the set of all `bool` values.
+Another example is `set x: nat | x < 5, which is equivalent to `set x: nat | x < 5:: x` and would be the set `{0, 1, 2, 3, 4}`.
+
+But if more than one variable is declared, then there is no natural implicit expression to fill in after the `::` if it is omitted, 
+so some expression is required. The failing example above, for example, might use the expression `x * y`, as in 
+`set x, y  | 0 <= x < y < 10 :: x * y`, or any other expression over `x` and `y`.
+
+## **Warning: opaque is deprecated as an identifier. It will soon become a reserved word. Use a different name.** {#p_deprecated_opaque_as_identifier}
+
+<!-- %check-resolve-warn -->
+```dafny
+const opaque: int
+```
+
+Because of the value to proof success of using `opaque` declarations and `reveal`ing them in appropriate contexts,
+the word `opaque` is being converted to a reserved keyword, whereas it used to be a normal identifier.
+Please rename your use of opaque as an identifier to some other name.
+
+## **Error: invalid name after a '.'** {#p_invalid_name_after_dot}
+
+This error message is not reachable in current Dafny.
+If it occurs, please report an internal bug (or obsolete documentation).
+
+## **Error: cannot declare identifier beginning with underscore** {#p_no_leading_underscore_2}
+
+```dafny
+const _myconst := 5
+```
+
+User-declared identifiers may not begin with an underscore;
+such identifiers are reserved for internal use.
+In match statements and expressions, an identifier
+that is a single underscore is used as a wild-card match.
+
+## **Warning: deprecated style: a semi-colon is not needed here {#p_deprecated_semicolon}
+
+<!-- %check-resolve %options -->
+```dafny
+const c := 5;
+```
+
+Semicolons are required after statements and declarations in method bodies,  
+but are deprecated after declarations within modules and types.
+
+## **Error: incorrectly formatted number** {#p_bad_number_format}
+
+<!-- not reachable -->
+
+This error can only result from an internal bug in the Dafny parser.
+The parser recognizes a legitimate sequence of digits (as an integer literal
+and then passes that string to a library routine to create a BigInteger
+or BigDecimal. Given the parser logic, that parsing should never fail.
+
+## **Error: incorrectly formatted number** {#p_bad_hex_number_format}
+
+<!-- not reachable -->
+
+This error can only result from an internal bug in the Dafny parser.
+The parser recognizes a legitimate sequence of hexdigits
+and then passes that string to a library routine to create a BigInteger. 
+Given the parser logic, that parsing should never fail.
+
+## **Error: incorrectly formatted number** {#p_bad_decimal_number_format}
+
+<!-- not reachable -->
+
+This error can only result from an internal bug in the Dafny parser.
+The parser recognizes a legitimate Dafny decimal number 
+and then passes that string to a library routine to create a BigDecimal. 
+Given the parser logic, that parsing should never fail.
+
+<!-- FILE ./DafnyCore/CoCo/Parser.frame -->
+
+## **Error: invalid _entity_** {#p_generic_syntax_error}
+
+<!-- TODO -->
+
+This "invalid something" message where the something is typically
+the name of an internal parser non-terminal means that the text being parsed
+is a badly malformed instance of whatever parser entity was being parsed.
+This is an automatically generated message by the CoCo parser generator
+for a situation in which no specific recovery or a
+more informative error message has been implemented.
+
+The only advice we can give is to carefully scrutinize the location of the
+error to see what might be wrong with the text. If you think this is a
+common or confusing enough occurrence to warrant special error handling,
+please suggest the improvement, with this sample code, to the Dafny team.
+
+<!-- FILE ./DafnyCore/CoCo/Scanner.frame -->
+
+## **Error: Malformed _template_ pragma: #_source_** {#sc_malformed_pragma}
+
+<!-- %no-check -->
+```dafny
+const s := @"
+#line S
+"
+```
+
+This pragma syntax is no longer supported. If this message is seen, please report it to the Dafny development team.
+The Dafny scanner once supported pragmas of the form `#line <lineno> <filename>`, with the filename optional.
+This message indicates that the pragma was not readable, most likely because the line number was not a
+parsable numeral.
+
+## **Error: Unrecognized pragma: #_source_** {#sc_unknown_pragma}
+
+<!-- %no-check -->
+```dafny
+const s := @"
+# I love hashes
+"
+```
+
+This pragma syntax is no longer supported. If this message is seen, please report it to the Dafny development team.
+The Dafny scanner saw a pragma -- the first character of the line is a # character. But it is not one that the
+scanner recognizes. The only pragma ever recognized was `#line`.
+
+<!-- ./DafnyCore/AST/Grammar/ProgramParser.cs -->
+
+## **Error: [internal error] Parser exception: _message_** {#p_internal_exception}
+
+This error indicates an internal crashing bug in Dafny. Please report it with as much of 
+the source code that causes the problem as possible.
diff --git a/v4.10.0/HowToFAQ/Errors-Parser.template b/v4.10.0/HowToFAQ/Errors-Parser.template
new file mode 100644
index 0000000..f5e57a7
--- /dev/null
+++ b/v4.10.0/HowToFAQ/Errors-Parser.template
@@ -0,0 +1,1185 @@
+<!-- %check-resolve %default %useHeadings %check-ids -->
+
+<!-- The file Errors-Parser.template is used along with Parser-Errors.cs to produce Errors-Parser.md.
+     Errors-Parser.template holds the structure of the markdown file and the examples of each error message.
+     Parser-Errors.cs holds the text of error explanations, so they are just in the source code rather than duplicated also in markdown.
+     The content of Errors-Parser.template and Parser-Errors.cs are tied together by the errorids.
+     Thus Errors-Parser.md is a generated file that should not be edited itself.
+     The program make-error-catalog does the file generation.
+-->
+
+<!-- ./DafnyCore/Dafny.atg -->
+
+## **Error: Duplicate declaration modifier: abstract** {#p_duplicate_modifier}
+
+```dafny
+abstract abstract module M {}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a _decl_ cannot be declared 'abstract'** {#p_abstract_not_allowed}
+ 
+```dafny
+abstract const c := 4
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a function-by-method has a ghost function body and a non-ghost method body; a function-by-method declaration does not use the 'ghost' keyword.** {#p_no_ghost_for_by_method}
+
+```dafny
+ghost function f(): int
+{
+  42
+} by method {
+  return 42;
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: _decl_ cannot be declared 'ghost' (it is 'ghost' by default when using --function-syntax:3)** {#p_ghost_forbidden_default_3}
+
+```dafny
+module {:options "--function-syntax:3"} M {
+  ghost function f(): int { 42 }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: _decl_ cannot be declared 'ghost' (it is 'ghost' by default)** {#p_ghost_forbidden_default}
+
+```dafny
+module {:options "--function-syntax:4"} M {
+  ghost least predicate p()
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a _decl_ cannot be declared 'ghost'** {#p_ghost_forbidden}
+
+```dafny
+ghost module M {}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a _decl_ cannot be declared 'static'** {#p_no_static}
+
+```dafny
+static module M {}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a _decl_ cannot be declared 'opaque'** {#p_no_opaque}
+
+```dafny
+opaque module M {}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Warning: attribute _attribute_ is deprecated {#p_deprecated_attribute}
+
+<!-- INSERT-TEXT -->
+
+## **Error: argument to :options attribute must be a literal string** {#p_literal_string_required}
+
+```dafny
+module N { const opt := "--function-syntax:4" }
+import opened N
+module {:options opt} M{}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: cannot declare identifier beginning with underscore** {#p_no_leading_underscore}
+
+```dafny
+function m(): (_: int) {0}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: sorry, bitvectors that wide (_number_) are not supported** {#p_bitvector_too_large}
+
+```dafny
+const b: bv2147483648
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: sorry, arrays of that many dimensions (_number_) are not supported** {#p_array_dimension_too_large}
+
+```dafny
+const a: array2147483648<int>
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: There is no point to an export declaration at the top level** {#p_superfluous_export}
+
+```dafny
+export M
+method M() {}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: expected either a '{' or a 'refines' keyword here, found _token_** {#p_bad_module_decl}
+
+<!-- %check-resolve %first -->
+```dafny
+module M {}
+module N refine M {}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Warning: the _name_ token is the identifier for the export set, not an adjective for an extreme predicate** {#p_misplaced_least_or_greatest}
+
+<!-- %check-resolve-warn -->
+```dafny
+module M {
+  export
+  least predicate p()
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: no comma is allowed between provides and reveals and extends clauses in an export declaration** {#p_extraneous_comma_in_export}
+
+```dafny
+module M {
+  export A reveals b, a, reveals b
+  export B reveals b, a, provides b
+  export C provides b, a, reveals b
+  export D provides b, a, provides b
+  const a: int
+  const b: int
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: fields are not allowed to be declared at the module level; instead, wrap the field in a 'class' declaration** {#p_top_level_field}
+
+```dafny
+module M {
+  var c: int
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Warning: module-level functions are always non-instance, so the 'static' keyword is not allowed here** {#p_module_level_function_always_static}
+
+<!-- %check-resolve-warn -->
+```dafny
+static predicate p() { true }
+```
+
+<!-- INSERT-TEXT -->
+
+## **Warning: module-level methods are always non-instance, so the 'static' keyword is not allowed here** {#p_module_level_method_always_static}
+
+<!-- %check-resolve-warn -->
+```dafny
+static method m() {}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: in refining a datatype, the '...' replaces the '=' token and everything up to a left brace starting the declaration of the body; only members of the body may be changed in a datatype refinement** {#p_bad_datatype_refinement}
+
+```dafny
+abstract module M { datatype D = A | B }
+module N refines M { datatype D = ... Y | Z }
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: datatype extending traits is not yet enabled by default; use --general-traits=datatype to enable it** {#p_general_traits_datatype}
+
+```dafny
+trait Trait { }
+datatype D extends Trait = A | B
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: newtype extending traits is not fully supported (specifically, compilation of such types is not supported); to use them for verification only, use --general-traits=full** {#p_general_traits_full}
+
+```dafny
+trait Trait { }
+newtype N extends Trait = int
+```
+
+<!-- INSERT-TEXT -->
+
+## **Warning: module-level const declarations are always non-instance, so the 'static' keyword is not allowed here {#p_module_level_const_always_static}
+
+<!-- %check-resolve-warn -->
+```dafny
+static const i := 9
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: expected an identifier after 'const' and any attributes** {#p_const_decl_missing_identifier}
+
+```dafny
+const c := 5
+const
+const d := 5
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a const field should be initialized using ':=', not '='** {#p_bad_const_initialize_op}
+
+```dafny
+const c: int = 5
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a const declaration must have a type or a RHS value** {#p_const_is_missing_type_or_init}
+
+```dafny
+const i
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: in refining a newtype, the '...' replaces the '=' token and everything up to the left brace starting the declaration of the newtype body (if any); a newtype refinement may not change the base type of the newtype** {#p_misplaced_ellipsis_in_newtype}
+
+```dafny
+abstract module M { newtype T = int }
+module N refines M { newtype T = ... int }
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: formal cannot be declared 'ghost' in this context** {#p_output_of_function_not_ghost}
+
+```dafny
+twostate function p(i: int): (ghost r: int) { true }
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: formal cannot be declared 'new' in this context** {#p_no_new_on_output_formals}
+
+```dafny
+method m(i: int) returns (new r: int) { r := 0; }
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: formal cannot be declared 'nameonly' in this context** {#p_no_nameonly_on_output_formals}
+
+```dafny
+method m(i: int) returns (nameonly r: int) { r := 0; }
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: formal cannot be declared 'older' in this context** {#p_no_older_on_output_formals}
+
+```dafny
+method m(i: int) returns (older r: int) { r := 0; }
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a mutable field must be declared with a type** {#p_var_decl_must_have_type}
+
+```dafny
+class A {
+  var f
+  const g := 5
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a mutable field may not have an initializer** {#p_no_init_for_var_field}
+
+```dafny
+class A {
+  var x: int := 6
+  var y: int, x: int := 6, z: int
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: invalid formal-parameter name in datatype constructor** {#p_datatype_formal_is_not_id}
+
+```dafny
+datatype D = Nil | D(int: uint8) 
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: use of the 'nameonly' modifier must be accompanied with a parameter name** {#p_nameonly_must_have_parameter_name}
+
+```dafny
+datatype D = D (i: int, nameonly int) {}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: iterators don't have a 'returns' clause; did you mean 'yields'?** {#p_should_be_yields_instead_of_returns}
+
+```dafny
+iterator Count(n: nat) returns (x: nat) {
+  var i := 0;
+  while i < n {
+    x := i;
+    yield;
+    i := i + 1;
+  }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: type-parameter variance is not allowed to be specified in this context** {#p_type_parameter_variance_forbidden}
+
+```dafny
+type List<T>
+method m<+T>(i: int, list: List<T>) {}
+method m<T,-U>(i: int, list: List<T>) {}
+```
+
+<!-- INSERT-TEXT -->
+
+<!-- There are two instances of this error, one for the first item in a type parameter list, and one for subsequent items -->
+
+## **Error: unexpected type characteristic: '000' should be one of == or 0 or 00 or !new** {#p_unexpected_type_characteristic}
+
+```dafny
+type T(000)
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: extra comma or missing type characteristic: should be one of == or 0 or 00 or !new** {#p_missing_type_characteristic}
+
+<!-- %no-check - TODO - fix to better error recovery after 4.0 -->
+```dafny
+type T(0,,0)
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: illegal type characteristic: '_token_' should be one of == or 0 or 00 or !new** {#p_illegal_type_characteristic}
+
+```dafny
+type T(X)
+```
+
+<!-- INSERT-TEXT -->
+
+## **Warning: the old keyword 'colemma' has been renamed to the keyword phrase 'greatest lemma'** {#p_deprecated_colemma}
+
+<!-- %check-resolve-warn -->
+```dafny
+colemma m() ensures true {}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Warning: the old keyword phrase 'inductive lemma' has been renamed to 'least lemma'** {#p_deprecated_inductive_lemma}
+
+<!-- %check-resolve-warn -->
+```dafny
+inductive lemma m() ensures true {}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: constructors are allowed only in classes** {#p_constructor_not_in_class}
+
+```dafny
+module M {
+  constructor M() {}
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a method must be given a name (expecting identifier)** {#p_method_missing_name}
+
+```dafny
+method {:extern "M"} (i: int) {}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: type of _k_ can only be specified for least and greatest lemmas** {#p_extraneous_k}
+
+```dafny
+lemma b[nat](i: int) { }
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: constructors cannot have out-parameters** {#p_constructors_have_no_out_parameters}
+
+```dafny
+class C {
+  constructor (i: int) returns (j: int) {}
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: A 'reads' clause that contains '*' is not allowed to contain any other expressions** {#p_reads_star_must_be_alone}
+
+```dafny
+const a: object
+function f(): int
+  reads a, *
+{
+  0
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: out-parameters cannot have default-value expressions** {#p_no_defaults_for_out_parameters}
+
+```dafny
+method m(i: int) returns (j: int := 0) { return 42; }
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: set type expects only one type argument** {#p_set_only_one_type_parameter}
+
+```dafny
+const c: set<int,bool>
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: iset type expects only one type argument** {#p_iset_only_one_type_parameter}
+
+```dafny
+const c: iset<int,bool>
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: multiset type expects only one type argument** {#p_multiset_only_one_type_parameter}
+
+```dafny
+const c: multiset<int,bool>
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: seq type expects only one type argument** {#p_seq_only_one_type_parameter}
+
+```dafny
+const c: seq<int,bool>
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: map type expects two type arguments** {#p_map_needs_two_type_parameters}
+
+```dafny
+const m: map<int,bool,string>
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: imap type expects two type arguments** {#p_imap_needs_two_type_parameters}
+
+```dafny
+const m: imap<int,bool,string>
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: arrow-type arguments may not be declared as 'ghost'** {#p_no_ghost_arrow_type_arguments}
+
+```dafny
+const f: (ghost int, bool) -> int
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: empty type parameter lists are not permitted** {#p_no_empty_type_parameter_list}
+
+<!-- Not reachable -->
+
+<!-- INSERT-TEXT -->
+
+## **Error: a formal [ ] declaration is only allowed for least and greatest predicates** {#p_formal_ktype_only_in_least_and_greatest_predicates}
+
+```dafny
+predicate p[nat]() { true }
+```
+
+<!-- INSERT-TEXT -->
+
+## **Warning: the old keyword phrase 'inductive predicate' has been renamed to 'least predicate' {#p_deprecated_inductive_predicate}
+
+<!-- %check-resolve-warn -->
+```dafny
+inductive predicate p()
+```
+
+<!-- INSERT-TEXT -->
+
+## **Warning: the old keyword 'copredicate' has been renamed to the keyword phrase 'greatest predicate' {#p_deprecated_copredicate}
+
+<!-- %check-resolve-warn -->
+```dafny
+copredicate p()
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a 'by method' implementation is not allowed on a twostate _what_** {#p_no_by_method_in_twostate}
+
+```dafny
+class Cell { var data: int  constructor(i: int) { data := i; } }
+twostate predicate Increasing(c: Cell)
+  reads c
+{
+  old(c.data) <= c.data
+} by method {
+  return old(c.data) <= c.data;
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a 'by method' implementation is not allowed on an extreme predicate** {#p_no_by_method_in_extreme_predicate}
+
+```dafny
+least predicate g() { 42 } by method { return 42; }
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: to use a 'by method' implementation with a _what_, declare _id_ using _what_, not '_what_ method'** {#p_no_by_method_for_ghost_function}
+
+```dafny
+function method m(): int {
+  42
+} by method {
+  return 42;
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a _adjective_ _what_ is supported only as ghost, not as a compiled _what_** {#p_twostate_and_extreme_are_always_ghost}
+
+```dafny
+twostate function method m(): int {
+  42
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a _what_ is always ghost and is declared with '_what_'** {#p_old_ghost_syntax}
+
+```dafny
+module {:options "--function-syntax:experimentalPredicateAlwaysGhost"} M {
+  predicate method p() { true }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: the phrase '_what_ method' is not allowed when using --function-syntax:4; to declare a compiled predicate, use just 'predicate'** {#p_deprecating_predicate_method}
+
+```dafny
+module {:options "--function-syntax:4"} M {
+  predicate method f() { true }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: the phrase '_what_ method' is not allowed when using --function-syntax:4; to declare a compiled function, use just 'function'** {#p_deprecating_function_method}
+
+```dafny
+module {:options "--function-syntax:4"} M {
+  function method f(): int { 42 }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: there is no such thing as a 'ghost predicate method'** {#p_no_ghost_predicate_method}
+
+```dafny
+module {:options "--function-syntax:experimentalDefaultGhost"} M {
+  ghost predicate method f() { true }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: there is no such thing as a 'ghost function method'** {#p_no_ghost_function_method}
+
+```dafny
+module {:options "--function-syntax:experimentalDefaultGhost"} M {
+  ghost function method f(): int { 42 }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a _what_ must be declared as either 'ghost _what_' or '_what_ method' when using --function-syntax:migration3to4** {#p_migration_syntax}
+
+```dafny
+module {:options "--function-syntax:migration3to4"} M {
+  function f(): int { 42 }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: formal cannot be declared 'ghost' in this context** {#p_no_ghost_formal}
+
+```dafny
+ghost predicate p(ghost i: int) { true }
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: 'decreases' clauses are meaningless for least and greatest predicates, so they are not allowed** {#p_no_decreases_for_extreme_predicates}
+
+```dafny
+least predicate m(i: int)
+  decreases i
+{
+  true
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: _name_ return type should be bool, got _type_** {#p_predicate_return_type_must_be_bool}
+
+```dafny
+predicate b(): (r: boolean) { 4 }
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: _name_s do not have an explicitly declared return type; it is always bool. Unless you want to name the result: ': (result: bool)'** {#p_no_return_type_for_predicate}
+
+<!-- %no-check TODO - this example crashes -->
+```dafny
+predicate p(): bool { true } 
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: A '*' expression is not allowed here** {#p_no_wild_expression}
+
+```dafny
+function m(i: int): int
+  decreases *
+{
+  42
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: A '*' frame expression is not permitted here** {#p_no_wild_frame_expression}
+
+```dafny
+iterator Gen(start: int) yields (x: int)
+  reads *
+{
+  var i := 0;
+  while i < 10 invariant |xs| == i {
+    x := start + i;
+    yield;
+    i := i + 1;
+  }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Warning: _kind_ refinement is deprecated** {#p_deprecated_statement_refinement}
+
+<!-- TODO -->
+
+<!-- INSERT-TEXT -->
+
+## **Error: invalid statement beginning here (is a 'label' keyword missing? or a 'const' or 'var' keyword?)** {#p_invalid_colon}
+
+```dafny
+method m(n: nat) {
+  x: while (0 < n) { break x; }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: An initializing element display is allowed only for 1-dimensional arrays** {#p_initializing_display_only_for_1D_arrays}
+
+```dafny
+method m() {
+  var a := new int[2,2] [1,2,3,4];
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a local variable should be initialized using ':=', ':-', or ':|', not '='** {#p_no_equal_for_initializing}
+
+```dafny
+method m() {
+  var x = 5;
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: LHS of assign-such-that expression must be variables, not general patterns** {#p_no_patterns_and_such_that}
+
+```dafny
+datatype D = D(x: int, y: int)
+method m() {
+  var D(x,y) :| x + y == 5;
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: 'modifies' clauses are not allowed on refining loops** {#p_no_modifies_on_refining_loops}
+
+<!-- TODO _ example -->
+
+<!-- INSERT-TEXT -->
+
+## **Error: Expected 'to' or 'downto'** {#p_to_or_downto}
+
+```dafny
+method m(n: nat) {
+  for i := n DownTo 0 {}
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: A 'decreases' clause that contains '*' is not allowed to contain any other expressions** {#p_no_decreases_expressions_with_star}
+
+```dafny
+method f(n: int) returns (r: int)
+  decreases *, n
+{
+  r := if n == 0 then n else -1-f(n-1);
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: expected either 'by' or a semicolon following the assert expression** {#p_assert_needs_by_or_semicolon}
+
+```dafny
+method m() {
+  assert true
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Warning: a forall statement with no bound variables is deprecated; use an 'assert by' statement instead** {#p_deprecated_forall_with_no_bound_variables}
+
+<!-- INSERT-TEXT -->
+
+## **Warning: the modify statement with a block statement is deprecated** {#p_deprecated_modify_statement_with_block}
+
+<!-- INSERT-TEXT -->
+
+## **Error: the main operator of a calculation must be transitive** {#p_calc_operator_must_be_transitive}
+
+```dafny
+lemma abs(a: int, b: int, c: int)
+  ensures a + b + c == c + b + a
+{
+  calc != {
+    a + b + c;
+    a + c + b;
+    c + a + b;
+  }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: this operator cannot continue this calculation** {#p_invalid_calc_op_combination}
+
+```dafny
+lemma abs(a: int, b: int, c: int)
+  ensures a + b + c == c + b + a
+{
+  calc {
+    a + b + c;
+    !=
+    a + c + b;
+    !=
+    c + a + b;
+  }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a calculation cannot end with an operator** {#p_calc_dangling_operator}
+
+```dafny
+lemma abs(a: int, b: int, c: int)
+  ensures a + b + c == c + b + a
+{
+  calc {
+    a + b + c;
+    ==
+  }
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: Calls with side-effects such as constructors are not allowed in expressions.** {#p_no_side_effects_in_expressions}
+
+```dafny
+class A { function f(): int { 0 } }
+const c := (new A).f()
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: Ambiguous use of ==> and <==. Use parentheses to disambiguate.** {#p_ambiguous_implies}
+
+```dafny
+const b := true <== false ==> true
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: Ambiguous use of ==> and <==. Use parentheses to disambiguate.** {#p_ambiguous_implies_2}
+
+```dafny
+const b := true ==> false <== true
+```
+
+<!-- INSERT-TEXT -->
+
+<!-- There are two instances of this error, one in which the first operator is ==> and one in which it is <== -->
+
+## **Error: Ambiguous use of && and ||. Use parentheses to disambiguate.** {#p_ambiguous_and_or}
+
+```dafny
+const b := true && false || true
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: chaining not allowed from the previous operator** {#p_invalid_equal_chaining}
+
+```dafny
+const c := 1 in {1} == true
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a chain cannot have more than one != operator** {#p_invalid_notequal_chaining}
+
+```dafny
+const c := 1 != 2 != 3
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: this operator cannot continue this chain** {#p_invalid_operator_in_chain}
+
+```dafny
+const c := {} !! {} != {}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: this operator chain cannot continue with an ascending operator** {#p_invalid_descending_chaining}
+
+```dafny
+const c := 2 > 3 < 4
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: this operator chain cannot continue with a descending operator** {#p_invalid_ascending_chaining}
+
+```dafny
+const c := 2 < 3 > 4
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: can only chain disjoint (!!) with itself** {#p_invalid_disjoint_chaining}
+
+```dafny
+const c := 2 < 3 !! 4
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: this operator cannot be part of a chain** {#p_operator_does_not_chain}
+
+```dafny
+const c := 2 < 3 in 4
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: invalid relational operator** {#p_bang_not_a_relational_op}
+
+```dafny
+const s : set<int>
+const r := s ! s
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: invalid relational operator (perhaps you intended \"!!\" with no intervening whitespace?)** {#p_invalid_relational_op}
+
+```dafny
+const s : set<int>
+const r := s ! ! s
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: Ambiguous use of &, |, ^. Use parentheses to disambiguate.** {#p_ambiguous_bitop}
+
+```dafny
+const i: int := 5 | 6 & 7
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: too many characters in character literal** {#p_invalid_char_literal}
+
+<!-- %check-resolve %options --allow-deprecation --unicode-char:false -->
+```dafny
+const c := '🚀'
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: binding not allowed in parenthesized expression** {#p_no_parenthesized_binding}
+
+```dafny
+method m() {
+  var c := ( 4 := 5 );
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: A forming expression must be a multiset** {#p_must_be_multiset}
+
+<!-- INSERT-TEXT -->
+
+## **Error: seq type expects only one type argument** {#p_seq_display_has_one_type_argument}
+
+```dafny
+const c := seq<int,int>(5, i=>i)
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a map comprehension with more than one bound variable must have a term expression of the form 'Expr := Expr'** {#p_map_comprehension_must_have_term_expression}
+
+```dafny
+const s := map x, y  | 0 <= x < y < 10 :: x*y
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: LHS of let-such-that expression must be variables, not general patterns** {#p_no_patterns_in_let_such_that}
+
+```dafny
+datatype Data = D(i: int, j: int)
+const c: int := var Data(d,dd) :| d == 10 && dd == 11; d
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a variable in a let expression should be initialized using ':=', ':-', or ':|', not '='** {#p_no_equal_in_let_initialization}
+
+```dafny
+method m() {
+  var x := var y = 5; y*y;
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: ':-' can have at most one left-hand side** {#p_elephant_has_one_lhs}
+
+```dafny
+datatype Outcome<T> = 
+  | Success(value: T) 
+  | Failure(error: string) 
+{ predicate IsFailure() { this.Failure? } 
+  function PropagateFailure<U>(): Outcome<U> 
+    requires IsFailure() 
+  { Outcome<U>.Failure(this.error) // this is Outcome<U>.Failure(...) 
+  }
+ 
+  function Extract(): T requires !IsFailure() { this.value } 
+}
+
+function m(): Outcome<int> { Outcome<int>.Success(0) }
+function test(): Outcome<int> {
+  var rr, rrr :- m(); Outcome.Success(1) 
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: ':-' must have exactly one right-hand side** {#p_elephant_has_one_rhs}
+
+```dafny
+datatype Outcome<T> = 
+  | Success(value: T) 
+  | Failure(error: string) 
+{ predicate IsFailure() { this.Failure? } 
+  function PropagateFailure<U>(): Outcome<U> 
+    requires IsFailure() 
+  { Outcome<U>.Failure(this.error) // this is Outcome<U>.Failure(...) 
+  }
+ 
+  function Extract(): T requires !IsFailure() { this.value } 
+}
+
+function m(): Outcome<int> { Outcome<int>.Success(0) }
+function test(): Outcome<int> {
+  var rr :- m(), 44; Outcome.Success(1) 
+}
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: a set comprehension with more than one bound variable must have a term expression** {#p_set_comprehension_needs_term_expression}
+
+```dafny
+const s := set x, y | 0 <= x < y < 10 
+```
+
+<!-- INSERT-TEXT -->
+
+## **Warning: opaque is deprecated as an identifier. It will soon become a reserved word. Use a different name.** {#p_deprecated_opaque_as_identifier}
+
+<!-- %check-resolve-warn -->
+```dafny
+const opaque: int
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: invalid name after a '.'** {#p_invalid_name_after_dot}
+
+<!-- INSERT-TEXT -->
+
+## **Error: cannot declare identifier beginning with underscore** {#p_no_leading_underscore_2}
+
+```dafny
+const _myconst := 5
+```
+
+<!-- INSERT-TEXT -->
+
+## **Warning: deprecated style: a semi-colon is not needed here {#p_deprecated_semicolon}
+
+<!-- %check-resolve %options -->
+```dafny
+const c := 5;
+```
+
+<!-- INSERT-TEXT -->
+
+## **Error: incorrectly formatted number** {#p_bad_number_format}
+
+<!-- not reachable -->
+
+<!-- INSERT-TEXT -->
+
+## **Error: incorrectly formatted number** {#p_bad_hex_number_format}
+
+<!-- not reachable -->
+
+<!-- INSERT-TEXT -->
+
+## **Error: incorrectly formatted number** {#p_bad_decimal_number_format}
+
+<!-- not reachable -->
+
+<!-- INSERT-TEXT -->
+
+<!-- FILE ./DafnyCore/CoCo/Parser.frame -->
+
+## **Error: invalid _entity_** {#p_generic_syntax_error}
+
+<!-- TODO -->
+
+<!-- INSERT-TEXT -->
+
+<!-- FILE ./DafnyCore/CoCo/Scanner.frame -->
+
+## **Error: Malformed _template_ pragma: #_source_** {#sc_malformed_pragma}
+
+<!-- %no-check -->
+```dafny
+const s := @"
+#line S
+"
+```
+
+This pragma syntax is no longer supported. If this message is seen, please report it to the Dafny development team.
+The Dafny scanner once supported pragmas of the form `#line <lineno> <filename>`, with the filename optional.
+This message indicates that the pragma was not readable, most likely because the line number was not a
+parsable numeral.
+
+## **Error: Unrecognized pragma: #_source_** {#sc_unknown_pragma}
+
+<!-- %no-check -->
+```dafny
+const s := @"
+# I love hashes
+"
+```
+
+This pragma syntax is no longer supported. If this message is seen, please report it to the Dafny development team.
+The Dafny scanner saw a pragma -- the first character of the line is a # character. But it is not one that the
+scanner recognizes. The only pragma ever recognized was `#line`.
+
+<!-- ./DafnyCore/AST/Grammar/ProgramParser.cs -->
+
+## **Error: [internal error] Parser exception: _message_** {#p_internal_exception}
+
+<!-- INSERT-TEXT -->
diff --git a/v4.10.0/HowToFAQ/Errors-Refinement.md b/v4.10.0/HowToFAQ/Errors-Refinement.md
new file mode 100644
index 0000000..eb4b6dd
--- /dev/null
+++ b/v4.10.0/HowToFAQ/Errors-Refinement.md
@@ -0,0 +1,998 @@
+
+<!-- %check-resolve %default %useHeadings -->
+
+
+<!-- FILE ./DafnyCore/Rewriters/RefinementTransformer.cd -->
+
+## **Error: _submod_ in _module_ cannot be imported with "opened" because it does not match the corresponding import in the refinement base _base_.** {#ref_refinement_import_must_match_opened_base}
+
+<!-- TODO -->
+
+## **Error: _submod_ in _module_ must be imported with "opened"  to match the corresponding import in its refinement base _base_.** {#ref_refinement_import_must_match_non_opened_base}
+
+<!-- TODO -->
+
+## **Error: a type synonym (_name_) is not allowed to replace a _kind_ from the refined module (_refined_), even if it denotes the same type** {#ref_refinement_type_must_match_base}
+
+```dafny
+module P {
+  type T = int
+}
+module Q refines P {
+  type T = int
+}
+```
+
+A refining declaration must make the base declaration more specific. It may not just be the same declaration (although sometimes that might be convenient).
+
+## **Error: to redeclare and refine declaration '_name_' from module '_refined_', you must use the refining (`...`) notation** {#ref_refining_notation_needed}
+
+<!-- TODO -->
+
+## **Error: declaration '_name_' indicates refining (notation `...`), but does not refine anything** {#ref_refining_notation_does_not_refine}
+
+```dafny
+module P {
+}
+module Q refines P {
+  export A ...
+}
+```
+
+A refining declaration that uses `...` must actually be refining a corresponding declaration in the base module.
+
+## **Error: can't change if a module export is default (_name_)** {#ref_default_export_unchangeable}
+
+```dafny
+module P {
+  const c: int
+  export reveals c
+}
+module Q refines P {
+  export P ...
+}
+```
+
+If a base module P has a default export (implicitly named P), then a refining module, Q, may not declare an export set P with the intention of refining it.
+
+## **Error: a module (_name_) must refine another module** {#ref_module_must_refine_module}
+
+<!-- TODO -->
+
+## **Error: a module export (_name_) must refine another export** {#ref_export_must_refine_export}
+
+<!-- TODO -- suspect not reachable -->
+
+## **Error: a module (_name_) can only refine a module facade** {#ref_base_module_must_be_facade}
+
+<!-- TODO -->
+
+## **Error: a module (_name_) must refine another module** {#ref_module_must_refine_module_2}
+
+```dafny
+module P {
+  type W
+}
+module Q refines P {
+  module W {}
+}
+```
+
+A submodule M within a module that is refining some base module must refine some submodule M in the base module.
+
+## **Error: to be a refinement of _kind_ '_name_' declared with (==), _kind_ '_name_' must support equality {#ref_mismatched_type_characteristics_equality}
+
+```dafny
+module P {
+  type T(==)
+}
+module Q refines P {
+  type T = AlwaysAndForeverMore
+  codatatype AlwaysAndForeverMore = Cons(int, AlwaysAndForeverMore)
+}
+```
+
+The abstract type `T` in module `P` says it supports equality, but its attempted refinement in module `Q` does not.
+Codatatypes do not generally support equality and so cannot be refinements of equality-supporting abstract types.
+
+## **Error: to be a refinement of _kind_ '_name_' declared with (!new), _kind_ '_name_' must contain no references {#ref_mismatched_type_characteristics_noreferences}
+
+```dafny
+module P {
+  type T(!new)
+}
+module Q refines P {
+  type T = (int, bool, array<real>)
+}
+```
+
+The abstract type `T` in module `P` says it contains no reference, but its attempted refinement in module `Q` does.
+A refining type must support the type characteristics declared of the refined type.
+
+## **Error: to be a refinement of _kind_ '_name_' declared with (00), _kind_ '_name_' must be nonempty {#ref_mismatched_type_characteristics_nonempty}
+
+```dafny
+module P {
+  type T(00)
+}
+module Q refines P {
+  type T = A
+  class A { }
+}
+```
+
+The abstract type `T` in module `P` uses the type characteristic `(00)` to say that it is nonempty. However, a class type is
+not generally known to be nonempty, so `A` cannot be used as a refinement for `T` in `Q`.
+
+For this particular situation, a possible remedy would be to instead use `type T = A?`, since the nullable type `A?` is known to be nonempty.
+
+## **Error: to be a refinement of _kind_ '_name_' declared with (0), _kind_ '_name_' must support auto-initialization {#ref_mismatched_type_characteristics_autoinit}
+
+```dafny
+module P {
+  type T(0)
+}
+module Q refines P {
+  type T = A
+  class A { }
+}
+```
+
+The abstract type `T` in module `P` uses the type characteristic `(00)` to say that it can be auto-initialized. However, a class type does
+not support auto-initialization, so `A` cannot be used as a refinement for `T` in `Q`.
+
+For this particular situation, a possible remedy would be to instead use `type T = A?`, since the nullable type `A?` does support auto-initialization.
+
+## **Error: a _kind_ (_name_) cannot declare members, so it cannot refine an abstract type with members** {#ref_mismatched_type_with_members}
+
+```dafny
+module P {
+  type T {
+    method m() {}
+  }
+}
+module Q refines P {
+  type T = int
+}
+```
+
+When refining a declaration, the refined declaration has all the characteristics of the base declaration, including any members of the base declaration.
+Some declarations do not have members, such as subset types and type synonyms, so they cannot refine a declaration that has members declared in the base.
+
+## **Error: an abstract type declaration (_name_) in a refining module cannot replace a more specific type declaration in the refinement base** {#ref_mismatched_abstractness}
+
+```dafny
+module P {
+  type T = int
+}
+module Q refines P {
+  type T ...
+}
+```
+
+The purpose of refinement is to replace abstract or incompletely defined declarations with more specific declarations.
+Hence a type that is defined in a refinement base cannot be an abstract type in the refining module.
+
+## **Error: a _kind_ declaration (_name_) in a refinement module can only refine a _kind_ declaration or replace an abstract type declaration** {#ref_declaration_must_refine}
+
+```dafny
+module P {
+  type T = int
+}
+module Q refines P {
+  datatype T ... {}
+}
+```
+
+The purpose of refinement is to replace abstract or incompletely defined declarations with more specific declarations.
+The refining declaration needs to be the same kind of declaration as in the base.
+
+
+## **Error: an iterator declaration (_name_) in a refining module cannot replace a different kind of declaration in the refinement base** {#ref_iterator_must_refine_iterator}
+
+<!-- %check-resolve %first -->
+```dafny
+module P {
+  class I {}
+}
+module Q refines P {
+  iterator I...
+}
+```
+
+Iterators may only refine iterator declarations.
+
+## **Error: a type (_name_) in a refining module may not replace an already defined type (even with the same value)** {#ref_base_type_cannot_be_refined}
+
+<!-- TODO - does not appear to be reachable -->
+
+## **Error: a module (_name_) can only be refined by an alias module or a module facade** {#ref_base_module_must_be_abstract_or_alias}
+
+<!-- TODO  - not sure this is reachable-->
+
+## **Error: a refining iterator is not allowed to add preconditions** {#ref_no_new_iterator_preconditions}
+
+```dafny
+module P {
+  iterator I() yields (x: int)
+}
+module Q refines P {
+  iterator I... requires true
+}
+```
+
+There are restrictions on what may change when refining an iterator. In particular, no new preconditions may be added
+even if they are implied by the base declarations's preconditions.
+
+## **Error: a refining iterator is not allowed to add yield preconditions** {#ref_no_new_iterator_yield_preconditions}
+
+```dafny
+module P {
+  iterator I() yields (x: int)
+}
+module Q refines P {
+  iterator I... yield requires true
+}
+```
+
+There are restrictions on what may change when refining an iterator. In particular, no new yield preconditions may be added
+even if they are implied by the base declarations's preconditions.
+
+
+## **Error: a refining iterator is not allowed to extend the reads clause** {#ref_no_new_iterator_reads}
+
+```dafny
+module P {
+  iterator I() yields (x: int)
+}
+module Q refines P {
+  iterator I... reads {}
+}
+```
+
+There are restrictions on what may change when refining an iterator. In particular, no new reads clauses may be added
+even if they are contained within the base declarations's reads clauses.
+
+
+## **Error: a refining iterator is not allowed to extend the modifies clause** {#ref_no_new_iterator_modifies}
+
+```dafny
+module P {
+  iterator I() yields (x: int)
+}
+module Q refines P {
+  iterator I... modifies {}
+}
+```
+
+There are restrictions on what may change when refining an iterator. In particular, no new modifies clauses may be added
+even if they list objects that are contained within the base declarations's modifies clauses.
+
+
+## **Error: a refining iterator is not allowed to extend the decreases clause** {#ref_no_new_iterator_decreases}
+
+```dafny
+module P {
+  iterator I() yields (x: int)
+}
+module Q refines P {
+  iterator I... decreases 1 {}
+}
+```
+
+There are restrictions on what may change when refining an iterator. In particular, no new decreases clause may be added
+even if it is the same as or implied by the base declaration's decreases clause.
+
+
+## **Error: a const declaration (_name_) in a refining class (_class_) must replace a const in the refinement base** {#ref_const_must_refine_const}
+
+```dafny
+module P {
+  class A { var c: int }
+}
+module Q refines P {
+  class A ... { const c: int }
+}
+```
+
+Following the general rule that declarations in the base module are replaced by more specific declarations of the same kind in the refining module,
+a `const` declaration in the refining module must replace a `const` declaration in the base module (with the same type).
+
+## **Error: the type of a const declaration (_name_) in a refining class (_class_) must be syntactically the same as for the const being refined** {#ref_no_changed_const_type}
+
+```dafny
+module P {
+  type T = bool
+  class A { const c: bool }
+}
+module Q refines P {
+  class A ... { const c: T }
+}
+```
+
+The declarations in a refining module must have the same type as in the base module. In fact, to enable easier checking that the type
+has not changed, the type must be expressed in the same syntactic form in the two declarations. For example, it is not permitted to use a type in a base declaration and 
+an equivalent type synonym for the corresponding variable in the refinement.
+
+## **Error: a const re-declaration (_name_) can give an initializing expression only if the const in the refinement base does not** {#ref_no_refining_const_initializer}
+
+```dafny
+module P {
+  const c := 7
+}
+module Q refines P {
+  const c := 8
+}
+```
+
+A refined declaration of a `const` may add an initializer, but it cannot replace an initializer declared in the base,
+even if it is syntactically the same value, such as an explicit literal in one place and an equivalent expression in the other.
+
+## **Error: a const in a refining module cannot be changed from static to non-static or vice versa: _name_** {#ref_mismatched_module_static}
+
+```dafny
+module P {
+ class A {const c: int }
+}
+module Q refines P {
+  class A ... { static const c := 7 }
+}
+```
+
+A `const` declaration that is in a class that is being refined cannot change its static-ness.
+
+## **Error: a const re-declaration (_name_) is not allowed to remove 'ghost' from the const declaration** {#ref_mismatched_const_ghost}
+
+```dafny
+module P {
+  ghost const c := 7
+}
+module Q refines P {
+  const c: int
+}
+```
+
+A `const` refining declaration cannot change the declaration from `ghost` to non-ghost.
+
+## **Error: a const re-declaration (_name_) must be to add 'ghost' to the const declaration_info_** {#ref_refinement_must_add_const_ghost}
+
+```dafny
+module P {
+  const c := 7
+}
+module Q refines P {
+  const c: int
+}
+```
+
+A `const` refinement must change something. It can add a `ghost` modifier or it can add an initializer.
+
+## **Error: a field declaration (_name_) in a refining class (_class_) must replace a field in the refinement base** {#ref_field_must_refine_field}
+
+```dafny
+module P {
+  type T = int
+  class A { const c: int }
+}
+module Q refines P {
+  class A ... { var c: T }
+}
+```
+
+Following the general rule that declarations in the base module are replaced by more specific declarations of the same kind in the refining module,
+a `var` declaration in a refining class must replace a `var` declaration in the class of the base module (with the same type).
+
+
+## **Error: a field declaration (_name_) in a refining class (_class_) must repeat the syntactically same type as the field has in the refinement base** {#ref_mismatched_field_name}
+
+```dafny
+module P {
+  type T = int
+  class A { var c: int }
+}
+module Q refines P {
+  class A ... { var c: T }
+}
+```
+
+The field declarations in a refining class must have the same type as in the class in the base module. In fact, to enable easier checking that the type
+has not changed, the type must be expressed in the same syntactic form in the two declarations. For example, it is not permitted to use a type 
+in a base declaration and an equivalent type synonym in the corresponding place in the refinement.
+
+
+## **Error: a field re-declaration (_name_) must be to add 'ghost' to the field declaration** {#ref_refinement_field_must_add_ghost}
+
+```dafny
+module P {
+  class A { var c: int }
+}
+module Q refines P {
+  class A ... { var c: int }
+}
+```
+
+When a class is being refined, any field declaration in the base is copied into the refinement.
+If there is a redeclaration of the field, it must be to add a `ghost` modifier.
+
+## **Error: a _kind_ declaration (_name_) can only refine a _kind_** {#ref_mismatched_refinement_kind}
+
+```dafny
+module P {
+  function f(i: int): bool
+}
+module Q refines P {
+  predicate f(i: int) { true }
+}
+```
+
+The refining declaration must be the same kind of declaration as the base declaration.
+For example both must be predicates or both must be functions (even if the function is one that returns a `bool`).
+
+## **Error: a refining _kind_ is not allowed to add preconditions** {#ref_refinement_no_new_preconditions}
+
+```dafny
+module P {
+  predicate m(i: nat)
+}
+module Q refines P {
+  predicate m(i: nat) requires true { true }
+}
+```
+
+A function in a refining module must be able to be used in the same way as the abstract function in the base module.
+If there are additional preconditions, then the call contexts for the refined function may be more restricted than for the base function.
+Thus no new preconditions may be added. This is a syntactic check, so no preconditions can be added even if they
+are implied by the existing preconditions.
+
+## **Error: a refining _kind_ is not allowed to extend the reads clause** {#ref_refinement_no_new_reads}
+
+```dafny
+module P {
+  predicate m() reads {}
+}
+module Q refines P {
+  predicate m() reads this {true }
+}
+```
+
+A function in a refining module must be able to be used in the same way as the abstract function in the base module.
+Extending the reads clause with additional objects cxhanges this equivalence and is not allowed.
+This change is syntactic. The refining function is not allowed to write any reads clauses. It just inherits those from
+the base declaration. This is the case even if the new reads clause is a repetition or subset of the base declaration.
+
+## **Error: decreases clause on refining _kind_ not supported** {#ref_no_new_decreases}
+
+```dafny
+module P {
+  predicate m(i: nat) reads {}
+}
+module Q refines P {
+  predicate m(i: nat) decreases i {true }
+}
+```
+
+For simplicity, a refining function is not allowed to add decreases clauses to its declaration.
+
+## **Error: a function in a refining module cannot be changed from static to non-static or vice versa: _name_** {#ref_mismatched_function_static}
+
+```dafny
+module P {
+  class A { predicate m(i: nat) }
+}
+module Q refines P {
+  class A ... { static predicate m(i: nat) {true } }
+}
+```
+
+The static-ness of a function declaration in a refining class must be the same as in the base class.
+
+## **Error: a compiled function cannot be changed into a ghost function in a refining module: _name_** {#ref_mismatched_function_compile}
+
+```dafny
+module P {
+  predicate m(i: nat)
+}
+module Q refines P {
+  ghost predicate m(i: nat)
+}
+```
+
+If a function is declared as non-ghost in the base module, it may not be declared `ghost` in the refining module.
+
+## **Error: a ghost function can be changed into a compiled function in a refining module only if the function has not yet been given a body: _name_** {#ref_no_refinement_function_with_body}
+
+<!-- %check-resolve %first -->
+```dafny
+module P {
+  ghost predicate m(i: nat) { true }
+}
+module Q refines P {
+  predicate m(i: nat) { true }
+}
+```
+
+If a function is declared ghost in a base module, it can then be given a body and declared non-ghost in the refined version of the module.
+But in the case where the the base declaration already has a body and is `ghost`, the refined declaration cannot then change the function to non-ghost.
+
+## **Error: the name of function return value '_function_'(_result_) differs from the name of corresponding function return value in the module it refines (_otherresult_)** {#ref_mismatched_function_return_name}
+
+```dafny
+module P {
+  function f(a: int): (r: int)
+}
+module Q refines P {
+  function f(a: int): (s: int) { 0 }
+}
+```
+
+When refining a function, the input and output signature must stay precisely the same -- formals, types, and names -- including the name of the function result.
+
+
+## **Error: the result type of function '_function_' (_type_) differs from the result type of the corresponding function in the module it refines (_othertype_)** {#ref_mismatched_function_return_type}
+
+```dafny
+module P {
+  function f(a: int): int { 0 }
+}
+module Q refines P {
+  function f(a: int): bool
+}
+```
+
+When refining a function, the input and output signature must stay precisely the same -- formals, types, and names --
+including the type of the function result. The types must be syntactically identical; it is not allowed
+to use a type and an equivalent type synonym, for example.
+
+## **Error: a refining _kind_ is not allowed to extend/change the body** {#ref_mismatched_refinement_body}
+
+```dafny
+module P {
+  function f(a: int): int { 0 }
+}
+module Q refines P {
+  function f(a: int): int { 0 }
+}
+```
+
+When refining a function, the refining declaration can not include a body if the base declaration has a body, even if the texts of the bodies are identical.
+
+## **Error: a method declaration (_name_) can only refine a method** {#ref_method_refines_method}
+
+```dafny
+module P {
+  function m(a: int): int
+}
+module Q refines P {
+  method m(a: int)  {}
+}
+```
+
+The refining declaration must be the same kind of declaration as the base declaration.
+For example both must be methods.
+
+
+## **Error: a refining method is not allowed to add preconditions** {#ref_no_new_method_precondition}
+
+```dafny
+module P {
+  method m() {}
+}
+module Q refines P {
+  method m() requires true {}
+}
+```
+
+A method in a refining module must be able to be used in the same way as the abstract method in the base module.
+If there are additional preconditions, then the calling contexts permitted for the refined method may be more restricted than those for the abstract base method.
+Thus no new preconditions may be added. This is a syntactic check, so no preconditions can be added even if they
+are implied by the existing preconditions.
+
+
+## **Error: a refining method is not allowed to extend the modifies clause** {#ref_no_new_method_modifies}
+
+```dafny
+module P {
+  method m(i: nat)
+}
+module Q refines P {
+  method m(i: nat) modifies {} { }
+}
+```
+
+A method in a refining module must be able to be used in the same way as the abstract method in the base module.
+If there are additional objects in the modifies clause, then the usage of the refined module may have more effect than known by the base method signature.
+Thus no new modifies clauses may be added. This is a syntactic check, so no modifies clauses can be added even if they
+do not actually add any new objects to the modifies set.
+
+## **Error: decreases clause on refining method not supported, unless the refined method was specified with 'decreases *'** {#ref_no_new_method_decreases}
+
+```dafny
+module P {
+  method m(a: int)
+}
+module Q refines P {
+  method m(a: int) decreases a {}
+}
+```
+
+A decreases clause is not permitted in a refining method declaration, even if it is syntactically identical to the clause in the base declaration.
+The one exception is that if the base declares `decreases *` then the refinement may give a decreases clause (even `decreases`*`).
+Note that if the refining declaration does not state a decreases clause (the usual case), the refining declaration gets a copy of the base declarations clause.
+
+## **Error: a method in a refining module cannot be changed from static to non-static or vice versa: _name_** {#ref_mismatched_method_static}
+
+```dafny
+module P {
+  class A { method m(i: nat) }
+}
+module Q refines P {
+  class A ... { static method m(i: nat) { } }
+}
+```
+
+There are restrictions on what can be changed in a refinement. In particular, a basic characteristic like being or not being `static`
+may not change for any kind of declaration.
+
+## **Error: a ghost method cannot be changed into a non-ghost method in a refining module: _name_** {#ref_mismatched_method_non_ghost}
+
+```dafny
+module P {
+  ghost method m(i: nat) 
+}
+module Q refines P {
+  method m(i: nat) { } 
+}
+```
+
+There are restrictions on what can be changed in a refinement. In particular, a basic characteristic like being or not being `ghost`
+may not change for methods.
+
+## **Error: a method cannot be changed into a ghost method in a refining module: _name_** {#ref_mismatched_method_ghost}
+
+```dafny
+module P {
+  method m(i: nat) 
+}
+module Q refines P {
+  ghost method m(i: nat) { } 
+}
+```
+
+There are restrictions on what can be changed in a refinement. In particular, a basic characteristic like being or not being `ghost`
+may not change for methods.
+
+
+## **Error: _what_ '_name_' is declared with a different number of type parameters (_count_ instead of _oldcount_) than the corresponding _what_ in the module it refines** {#ref_mismatched_type_parameters_count}
+
+```dafny
+module P {
+  method m<T>(i: nat) 
+}
+module Q refines P {
+  method m<T,U>(i: nat) { } 
+}
+```
+
+There are restrictions on what can be changed in a refinement. In particular, a basic characteristic like the number of type parameters
+may not change for any declaration.
+
+
+## **Error: type parameters are not allowed to be renamed from the names given in the _kind_ in the module being refined (expected '_oldname_', found '_name_')** {#ref_mismatched_type_parameter_name}
+
+```dafny
+module P {
+  method m<T,U>(i: nat) 
+}
+module Q refines P {
+  method m<T,W>(i: nat) { } 
+}
+```
+
+There are restrictions on what can be changed in a refinement. 
+In particular, for convenience and readability, the names of type parameters
+may not change for any declaration.
+
+## **Error: type parameter '_name_' is not allowed to change the requirement of supporting equality** {#ref_mismatched_type_parameter_equality}
+
+```dafny
+module P {
+  method m<T,U(==)>(i: nat) 
+}
+module Q refines P {
+  method m<T,U>(i: nat) { } 
+}
+```
+
+There are restrictions on what can be changed in a refinement. 
+In particular, any characteristics of type parameters must remain the same.
+
+## **Error: type parameter '_name_' is not allowed to change the requirement of supporting auto-initialization** {#ref_mismatched_type_parameter_auto_init}
+
+```dafny
+module P {
+  method m<T,U(0)>(i: nat) 
+}
+module Q refines P {
+  method m<T,U>(i: nat) { } 
+}
+```
+
+There are restrictions on what can be changed in a refinement. 
+In particular, any characteristics of type parameters must remain the same.
+
+## **Error: type parameter '_name_' is not allowed to change the requirement of being nonempty** {#ref_mismatched_type_parameter_nonempty}
+
+```dafny
+module P {
+  method m<T,U(00)>(i: nat) 
+}
+module Q refines P {
+  method m<T,U>(i: nat) { } 
+}
+```
+
+There are restrictions on what can be changed in a refinement. 
+In particular, any characteristics of type parameters must remain the same.
+
+
+## **Error: type parameter '_name_' is not allowed to change the no-reference-type requirement** {#ref_mismatched_type_parameter_not_reference}
+
+```dafny
+module P {
+  method m<T,U(!new)>(i: nat) 
+}
+module Q refines P {
+  method m<T,U>(i: nat) { } 
+}
+```
+
+There are restrictions on what can be changed in a refinement. 
+In particular, any characteristics of type parameters must remain the same.
+
+
+## **Error: type parameter '_name_' is not allowed to change variance (here, from '_oldvariance_' to '_variance_')** {#ref_mismatched_type_parameter_variance}
+
+```dafny
+module P {
+  type T<+U> 
+}
+module Q refines P {
+  type T<U> = int
+}
+```
+
+There are restrictions on what can be changed in a refinement. 
+In particular, the variance of type parameters must remain the same.
+
+
+## **Error: type parameter '_name_' of _what_ '_declarationname_' is declared with a different number of type bounds than in the corresponding _what_ in the module it refines (expected _oldnum_, found _num_)** {#ref_mismatched_type_bounds_count}
+
+``` dafny
+module A {
+  type AbstrType<X extends object>
+}
+
+module B refines A {
+  type AbstrType<X>
+}
+```
+
+## **Error: type bound for type parameter '_name_' of _what_ '_declarationname_' is different from the corresponding type bound of the corresponding type parameter of the corresponding _what_ in the module it refines (expected '_oldbound_', found '_bound_'** {#ref_mismatched_type_parameter_bound}
+
+``` dafny
+module A {
+  type AbstrType<X extends object>
+}
+
+module B refines A {
+  trait Trait { }
+  type AbstrType<X extends Trait>
+}
+```
+
+
+## **Error: _kind_ '_name_' is declared with a different number of _what_ (_num_ instead of _oldnum_) than the corresponding _kind_ in the module it refines** {#ref_mismatched_kind_count}
+
+```dafny
+module P {
+  method m(i: int)
+}
+module Q refines P {
+  method m(i: int, j: int) {}
+}
+```
+
+There are restrictions on what can be changed in a refinement. 
+In particular, the number, type and names of formal parameters must remain the same.
+
+## **Error: there is a difference in name of _kind_ _num_ ('_name_' versus '_oldname_') of _kind_ _name_ compared to corresponding _kind_ in the module it refines** {#ref_mismatched_kind_name}
+
+```dafny
+module P {
+  method m(i: int)
+}
+module Q refines P {
+  method m(j: int) {}
+}
+```
+
+There are restrictions on what can be changed in a refinement. 
+In particular, for convenience and readability, the names of formal parameters
+may not change for any declaration.
+
+
+## **Error: _kind_ '_name_' of _kind_ _container_ cannot be changed, compared to the corresponding _kind_ in the module it refines, from non-ghost to ghost** {#ref_mismatched_kind_ghost}
+
+```dafny
+module P {
+  method m(i: int)
+}
+module Q refines P {
+  method m(ghost i: int) {}
+}
+```
+
+There are restrictions on what can be changed in a refinement. 
+In particular, ghost-ness of formal parameters
+may not change for any declaration.
+
+## **Error: _kind_ '_name_' of _kind_ _container_ cannot be changed, compared to the corresponding _kind_ in the module it refines, from ghost to non-ghost** {#ref_mismatched_kind_non_ghost}
+
+```dafny
+module P {
+  method m(ghost i: int)
+}
+module Q refines P {
+  method m(i: int) {}
+}
+```
+
+There are restrictions on what can be changed in a refinement. 
+In particular, ghost-ness of formal parameters
+may not change for any declaration.
+
+## **Error: _kind_ '_name_' of _kind_ _container_ cannot be changed, compared to the corresponding _kind_ in the module it refines, from new to non-new** {#ref_mismatched_kind_non_new}
+
+<!-- TODO -->
+
+## **Error: _kind_ '_name_' of _kind_ _container_ cannot be changed, compared to the corresponding _kind_ in the module it refines, from non-new to new** {#ref_mismatched_kind_new}
+
+<!-- TODO -->
+
+## **Error: _kind_ '_name_' of _kind_ _container_ cannot be changed, compared to the corresponding _kind_ in the module it refines, from non-older to older** {#ref_mismatched_kind_older}
+
+```dafny
+module P {
+  class A {}
+  predicate m(a: A)
+}
+module Q refines P {
+  predicate m(older a: A) { true }
+}
+```
+
+When refining a predicate, a formal parameter may not change from older to non-older or vice versa.
+
+## **Error: _kind_ '_name_' of _kind_ _container_ cannot be changed, compared to the corresponding _kind_ in the module it refines, from older to non-older** {#ref_mismatched_kind_non_older}
+
+```dafny
+module P {
+  class A {}
+  predicate m(older a: A)
+}
+module Q refines P {
+  predicate m(a: A) { true }
+}
+```
+
+When refining a predicate, a formal parameter may not change from older to non-older or vice versa.
+
+## **Error: the type of _kind_ '_n_' is different from the type of the same _kind_ in the corresponding _thing_ in the module it refines ('_name_' instead of '_oldname_')** {#ref_mismatched_parameter_type}
+
+```dafny
+module P {
+  method m(a: bool)
+}
+module Q refines P {
+  method m(a: int) {}
+}
+```
+
+The types in a signature in a refining declaration must be the same as the corresponding types in the base declaration.
+The types must be syntactically identical. For example one cannot be a type synonym of the other.
+
+## **Error: a refining formal parameter ('_name_') in a refinement module is not allowed to give a default-value expression** {#ref_refined_formal_may_not_have_default}
+
+```dafny
+module P {
+  method m(i: int)
+}
+module Q refines P {
+  method m(i: int := 9) {}
+}
+```
+
+There are restrictions on what changes can be made in refining a base declaration. 
+When refining methods, one restriction is that the refining declaration may not have default value declarations.
+The refining method has precisely the same default values as the base declaration.
+
+## **Error: skeleton statement does not match old statement** {#ref_mismatched_skeleton}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: assert template does not match inherited statement** {#ref_mismatched_assert}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: expect template does not match inherited statement** {#ref_mismatched_expect}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: assume template does not match inherited statement** {#ref_mismatched_assume}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: if-statement template does not match inherited statement** {#ref_mismatched_if_statement}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: while-statement template does not match inherited statement** {#ref_mismatched_while_statement}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: a skeleton while statement with a guard can only replace a while statement with a non-deterministic guard** {#ref_mismatched_while_statement_guard}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: modify template does not match inherited statement** {#ref_mismatched_modify_statement}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: modify template must have a body if the inherited modify statement does** {#ref_mismatched_statement_body}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: a refining loop can provide a decreases clause only if the loop being refined was declared with 'decreases *'** {#ref_mismatched_loop_decreases}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: while template must have a body if the inherited while statement does** {#ref_mismatched_while_body}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: skeleton statement may not be used here; it does not have a matching statement in what is being replaced** {#ref_misplaced_skeleton}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: yield statements are not allowed in skeletons** {#ref_misplaced_yield}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: _kind_ statement in skeleton is not allowed to break outside the skeleton fragment** {#ref_invalid_break_in_skeleton}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: cannot have assignment statement** {#ref_misplaced_assignment}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: cannot have call statement** {#ref_misplaced_call}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: refinement method cannot assign to variable defined in parent module ('_name_')** {#ref_invalid_variable_assignment}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: refinement method cannot assign to a field defined in parent module ('{0}')** {#ref_invalid_field_assignment}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: new assignments in a refinement method can only assign to state that the module defines (which never includes array elements)** {#ref_invalid_new_assignments}
+
+_Refining statements are no longer supported in Dafny._
+
+## **Error: assignment RHS in refinement method is not allowed to affect previously defined state** {#ref_invalid_assignment_rhs}
+
+_Refining statements are no longer supported in Dafny._
+
diff --git a/v4.10.0/HowToFAQ/Errors-Resolution.md b/v4.10.0/HowToFAQ/Errors-Resolution.md
new file mode 100644
index 0000000..728e032
--- /dev/null
+++ b/v4.10.0/HowToFAQ/Errors-Resolution.md
@@ -0,0 +1,872 @@
+
+<!-- %check-resolve %default %useHeadings %check-ids -->
+
+<!-- FILE DafnyCore/Resolver/ExpressionTester.cs -->
+
+## **Error: ghost variables such as _name_ are allowed only in specification contexts. _name_ was inferred to be ghost based on its declaration or initialization.** {#r_ghost_var_only_in_specifications}
+
+<!-- %check-resolve -->
+```dafny
+method m() {
+  ghost var i := 6;
+  var j := i;
+  print j;
+}
+```
+
+By their nature, ghost variables and ghost expressions generally may not affect the
+compiled code. So ghost variables may not be used in any non-ghost (compiled) statement.
+Note that variables can be ghost because they are explicitly declared to be ghost
+or because they are initialized with a value that is derived from a ghost expression.
+
+## **Error: a _what_ is allowed only in specification contexts** {#r_only_in_specification}
+
+```dafny
+datatype A = A(x: int, ghost y: int)
+method m(a: A) returns (r: int) {
+    return a.y;
+}
+```
+
+Ghost expressions, including ghost fields or destructors, are allowed only in ghost code.
+
+## **Error: a _what_ with ghost parameters can be used as a value only in specification contexts** {#r_ghost_parameters_only_in_specification}
+
+```dafny
+class A { 
+  function f(ghost i: int): int {0}
+}
+method m(a:A) 
+{
+  print a.f;
+}
+```
+
+Functions may have some (or all) formal parameters be ghost. Such parameters can only be used in ghost expressions
+within the function body. There are limits though on where such a function may be used.
+For example, passing the value of the function itself (not a call of the function) is restricted to ghost contexts.
+
+## **Error: _what_ '_name_' can be used only in specification contexts** {#r_used_only_in_specification}
+
+```dafny
+datatype D = J | ghost K(i: int)
+method m(d:D) 
+  requires d.K?
+{
+  print d.i;
+}
+```
+
+A datatype may have ghost constructors, but accessing the value of one of the fields (destructors) of such a ghost constructor is
+a ghost operation. Consequently an expression like `d.i` (where `i` is a destructor of a ghost constructor for the datatype of which `d` is a value)
+is allowed only in ghost contexts.
+
+## **Error: in a compiled context, update of _deconstructors_ cannot be applied to a datatype value of a ghost variant (ghost constructor _constructor_)** {#r_ghost_destructor_update_not_compilable}
+
+```dafny
+datatype D = A | ghost B(c: int)
+method m(d:D) 
+  requires d.B?
+{
+  print d.(c := 0);
+}
+```
+
+Datatypes may have ghost variants (where the datatype constructor is itself declared ghost), but constructing or updating such variants is a ghost operation.
+Consequently such expressions may not be present in compiled code.
+
+## **Error: a call to a _kind_ is allowed only in specification contexts_hint_** {#r_ghost_call_only_in_specification}
+
+```dafny
+twostate function f(): int { 42 }
+method m() returns (r: int) {
+  r := f();
+}
+```
+
+`twostate` declarations, extreme predicates, and prefix lemmas are always ghost (even without a `ghost` keyword).
+Thus they may never be used outside a ghost context.
+
+## **Error: a call to a ghost _what_ is allowed only in specification contexts (consider declaring the _what_ without the 'ghost' keyword)** {#r_ghost_call_only_in_specification_function_4}
+For Dafny 4:
+<!-- %check-resolve %options --function-syntax:4 -->
+```dafny
+ghost function f(): int { 42 }
+method m() returns (a: int)
+{
+  a := f();
+}
+```
+
+A ghost function can only be called in a ghost context; assigning to an out-parameter is
+always a non-ghost context. If you declare the function to be compilable, then it can be used
+in a non-ghost context. In Dafny 3 a non-ghost function is declared as `function method` (and just `function` is ghost);
+in Dafny 4, `function` is non-ghost and `ghost function` is ghost (like the declarations
+for methods). See [the reference manual on --function-syntax](../DafnyRef/DafnyRef#sec-function-syntax).
+
+## **Error: a call to a ghost _what_ is allowed only in specification contexts (consider declaring the _what_ with 'function method')** {#r_ghost_call_only_in_specification_function_3}
+
+For Dafny 3:
+<!-- %check-resolve %options --function-syntax:3 -->
+```dafny
+function f(): int { 42 }
+method m() returns (a: int)
+{
+  a := f();
+}
+```
+
+A ghost function can only be called in a ghost context; assigning to an out-parameter is
+always a non-ghost context. If you declare the function to be compilable, then it can be used
+in a non-ghost context. In Dafny 3 a non-ghost function is declared as `function method` (and just `function` is ghost);
+in Dafny 4, `function` is non-ghost and `ghost function` is ghost (like the declarations
+for methods). See [the reference manual on --function-syntax](../DafnyRef/DafnyRef#sec-function-syntax).
+
+## **Error: ghost constructor is allowed only in specification contexts** {#r_ghost_constructors_only_in_ghost_context}
+
+<!-- %check-resolve -->
+```dafny
+datatype D = A | ghost C
+method m(i: int) returns (r: D){
+  if i == 0 { r := A; }
+  if i != 0 { r := C; }
+}
+```
+
+A datatype can have a mix of non-ghost and ghost constructors, but the ghost constructors
+may only be used in ghost contexts.
+For example, a ghost constructor cannot be assigned to a non-ghost out-parameter
+or used in the then- or else-branch of a non-ghost if statment.
+
+## **Error: old expressions are allowed only in specification and ghost contexts** {#r_old_expressions_only_in_ghost_context}
+
+```dafny
+class A {}
+method m(a: A) returns (r: A){
+  r := old(a);
+}
+```
+
+The `old` construct is only used in ghost contexts. Typically using `old`
+forces an expression to be ghost.
+But in situations where it is definitely not a ghost context, such as
+assigning to a non-ghost out-parameter or the actual argument for a
+non-ghost formal parameter, then `old` cannot be used.
+
+## **Error: an expression of type '_type_' is not run-time checkable to be a '_type_'** {#r_type_test_not_runtime_checkable}
+
+<!-- TODO -->
+
+## **Error: fresh expressions are allowed only in specification and ghost contexts** {#r_fresh_expressions_only_in_ghost_context}
+
+```dafny
+class A {}
+method m(a: A) returns (b: bool) {
+  b := fresh(a);
+}
+```
+
+The `fresh` construct is only used in ghost contexts. Typically using `fresh`
+forces an expression to be ghost.
+So `fresh` cannot be used in situations where it is definitely not a ghost context, such as
+assigning to a non-ghost out-parameter or the actual argument for a
+non-ghost formal parameter.
+
+## **Error: unchanged expressions are allowed only in specification and ghost contexts** {#r_unchanged_expressions_only_in_ghost_context}
+
+```dafny
+class A {}
+method m(a: A) returns (b: bool){
+  b := unchanged(a);
+}
+```
+
+The `unchanged` construct is only used in ghost contexts. Typically using `unchanged`
+forces an expression to be ghost.
+So `unchanged` cannot be used in situations where it is definitely not a ghost context, such as
+assigning to a non-ghost out-parameter or the actual argument for a
+non-ghost formal parameter.
+
+## **Error: rank comparisons are allowed only in specification and ghost contexts** {#r_rank_expressions_only_in_ghost_context}
+
+```dafny
+datatype D = A | B
+method m(dd: D) 
+{
+  var d := A;
+  print d < dd;
+}
+```
+
+The `<` operator for two datatype values denotes _rank comparison_. That is,
+the right-hand operand must be structurally deeper than the left for the result
+of the operator to be true. However, this operation is always a ghost operation 
+and is never compiled. So it cannot appear in a non-ghost context.
+
+## **Error: prefix equalities are allowed only in specification and ghost contexts** {#r_prefix_equalities_only_in_ghost_context}
+
+```dafny
+codatatype Stream = SNil | SCons(head: int, tail: Stream)
+const s: Stream
+const t: Stream
+const b := s == #[1] t
+```
+
+The `==#[k]` syntax is [_prefix equality_](../DafnyRef/DafnyRef#sec-co-equality) on two values of the same codatatype.
+It means that the two values have the same prefix of k values.
+Such operations are not compilable and only allowed in ghost contexts.
+
+## **Error: _what_ in non-ghost contexts must be compilable, but Dafny's heuristics can't figure out how to produce or compile a bounded set of values for '_name_'** {#r_unknown_bounds}
+
+```dafny
+const s := iset i: int :: i*2 
+```
+
+Implicit iterations over unbounded ranges are not compilable. 
+More typically a _range_ predicate is given that limits the range of the local variable.
+The dafny tool analyzes this predicate, using various heuristics, to find lower and
+upper bounds by which to constrain the range. If the heuristics fail, then dafny
+does not know how to, and will not, compile the code. Where possible, adding in a
+range predicate, even if it is a superset of the actual range, can give the compiler
+enough hints to construct a compiled version of the program.
+
+## **Error: match expression is not compilable, because it depends on a ghost constructor** {#r_match_not_compilable}
+
+<!-- TODO - does not fail -->
+<!-- %no-check -->
+```dafny
+datatype D = A | ghost B
+method m(dd: D) 
+{
+  print match dd { case A => 0 case B => 1 };
+}
+```
+
+If one of the cases in a match expression uses a ghost constructor, then the whole
+match expression is ghost. That match expression cannot then be used in a compiled
+context, such as a print statement.
+
+
+<!-- FILE ./DafnyCore/Resolver/TypeInferenceChecker.cs -->
+
+## **Error: newtype's base type is not fully determined; add an explicit type for '_name_'** {#r_newtype_base_undetermined}
+
+<!-- TODO -->
+
+## **Error: subset type's base type is not fully determined; add an explicit type for '_name_'** {#r_subset_type_base_undetermined}
+
+<!-- TODO -->
+
+## **Error: shared destructors must have the same type, but '_name_' has type '_type_' in constructor '_name_' and type '_type_' in constructor '_name_'** {#r_shared_destructors_have_different_types}
+
+```dafny
+datatype D = A(x: int) | B (x: bool)
+```
+
+In defining a datatype, two constructors can both refer to a common destructor, but if they 
+do, the two instances must be declared with the same type. To correct this, either
+(a) the writer intends there to be two different destructor values, but accidentally
+used the same name, in which case change the name of one of them, or (b) they are
+intended to be the same, in which case a common type must be chosen.
+
+## **Error: literal (_literal_) is too large for the bitvector type _type_** {#r_literal_too_large_for_bitvector}
+
+```dafny
+const b: bv4 := 30
+```
+
+An integer literal can be converted implicitly to a value of a bitvector type,
+but only if the integer literal is in the range for the target type.
+For example, the type `bv4` has 4 bits and holds the values 0 through 15 inclusive.
+So a `bv4` can be initialized with a value in that range.
+Negative values are allowed: a value of -n corresponds to the bit vector
+value which, when added to the bitvector value of n, gives 0.
+For bv4, -n is the same as 16-n.
+
+## **Error: unary minus (-_num_, type _type_) not allowed in case pattern** {#r_no_unary_minus_in_case_patterns}
+
+```dafny
+const d: bv4
+const c := match d { case -0 => 0 case _ => 1 }
+```
+
+In a case value of a match expression with a bitvector type, the literals in the cases
+may not be negative literals, even though those may be used as bitvector literals in
+some other places in Dafny.
+
+<!-- NOTE: This message is also present in Expressions/LitPattern.cs; I believe the message
+here in TypeInferenceChecker is never reachable. -->
+
+## **Error: type of type parameter could not be determined; please specify the type explicitly** {#r_type_parameter_undetermined}
+
+<!-- TODO -->
+
+## **Error: type of bound variable '_name_' could not be determined; please specify the type explicitly** {#r_bound_variable_undetermined}
+
+<!-- TODO -->
+
+## **Error: type of bound variable '_name_' ('_type_') is not allowed to use type ORDINAL** {#r_bound_variable_may_not_be_ORDINAL}
+
+<!-- TODO -->
+
+## **Warning: the quantifier has the form 'exists x :: A ==> B', which most often is a typo for 'exists x :: A && B'; if you think otherwise, rewrite as 'exists x :: (A ==> B)' or 'exists x :: !A || B' to suppress this warning** {#r_exists_quantifier_warning}
+
+<!-- %check-resolve-warn -->
+```dafny
+ghost const c := exists i: int :: true ==> true
+```
+
+The implication `A ==> B` is true if `A` is false or `B` is true. In a `forall` statement one might write,
+for example, `0 <= i < 10 ==> a[i] == 0`, claiming that the array element is 0 for the first 10 array elements.
+But if one wrote `exists i :: 0 <= i < 10 ==> a[i] == 0` then a value of 10 for `i` satisfies the predicate.
+More often one means `exists i :: 0 <= i < 10 && a[i] == 0`, that is, is there an `i` between 0 and 10 for
+which the array element is 0. This is such a common mistake that this warning warns about it and asks for
+a syntax that explicitly states that the writer means it.
+
+## **Error: type parameter '_name_' (inferred to be '_type_') to the _kind_ '_name_' could not be determined** {#r_type_parameter_not_determined}
+
+<!-- TODO -->
+
+## **Error: type parameter '_name_' (passed in as '_type_') to the _kind_ '_name_' is not allowed to use ORDINAL** {#r_type_parameter_may_not_be_ORDINAL}
+
+<!-- TODO -->
+
+## **Error: type parameter '_name_' (inferred to be '_type_') in the function call to '_name_' could not be determined** {#r_function_type_parameter_undetermined}
+
+<!-- TODO -->
+
+## **Error: type parameter '_name_' (passed in as '_type_') to function call '_name_' is not allowed to use ORDINAL** {#r_function_type_parameter_may_not_be_ORDINAL}
+
+<!-- TODO -->
+
+## **Error: the type of the bound variable '_var_' could not be determined** {#r_bound_variable_type_undetermined}
+
+<!-- TODO -->
+
+## **Error: a type cast to a reference type (_type_) must be from a compatible type (got _type_); this cast could never succeed** {#r_never_succeeding_type_cast}
+
+<!-- TODO -->
+
+## **Error: a type test to '_type_' must be from a compatible type (got '_type_')** {#r_never_succeeding_type_test}
+
+<!-- TODO -->
+
+## **Error: a non-trivial type test is allowed only for reference types (tried to test if '_type_' is a '_type_')** {#r_unsupported_type_test}
+
+```dafny
+type Small = i: nat | i < 10
+const i := 10
+const b := i is Small
+```
+
+The `is` type test is currently somewhat limited in Dafny, and more limited than the companion `as` conversion.
+In particular, `is` is not allowed to test that a value is a member of a subset type.
+
+## **Warning: the type of the other operand is a non-null type, so this comparison with 'null' will always return '_bool_'_hint_** {#r_trivial_null_test}
+
+<!-- %check-resolve-warn -->
+```dafny
+class C {}
+function f(): C
+method m(c: C) {
+  var b: bool := f() != null;
+  var a: bool := c != null;
+}
+```
+
+Dafny does have a `null` value and expressions of types that include `null` can have a `null` value.
+But in Dafny, for each class type `C` there is a corresponding type `C?`; `C` does not include `null`,
+whereas `C?` does. So if an expression `e` having type `C` is compared against `null`, as in `e == null`,
+that comparison will always be `false`. If the logic of the program allows `e` to be sometimes `null`,
+then it should be declared with a type like `C?`.
+
+## **Warning: the type of the other operand is a _what_ of non-null elements, so the _non_inclusion test of 'null' will always return '_bool_'** {#r_trivial_null_inclusion_test}
+
+<!-- %check-resolve-warn -->
+```dafny
+class C {}
+method m(c: seq<C>, cc: seq<C?>) {
+  var bb := null in cc;  // OK
+  var b  := null in c;   // Warning
+}
+```
+
+This error refers to the `in` (or `!in`) operation and notes that the test is whether `null` is in the given container.
+But the elements of the container are of a type that does not include `null`, so the given test will always
+be `false` (or `true`).  Either the type of the container's elements should be a nullable type (a `C?` instead of a `C`)
+or the test is unnecessary. 
+
+## **Warning: the type of the other operand is a map to a non-null type, so the inclusion test of 'null' will always return '_bool_'** {#r_trivial_map_null_inclusion_test}
+
+<!-- %check-resolve-warn -->
+```dafny
+trait T {}
+const m: map<T,T>
+const c := null in m
+```
+
+The operation is testing whether `null` is a member of the domain of the map value given as the right-hand operand.
+But the domain of that map type (the first type parameter) is a non-null type. So this test will trivially always
+fail (for `in`) or succeed (for `!in`). If it is actually the case that the map's domain is allowed to contain `null`
+then the domain type should be a nullable type like `T?`. If it is not the case that null could be in the domain,
+then this test is not needed at all.
+
+## **Error: the type of this _var_ is underspecified** {#r_var_type_undetermined}
+
+<!-- TODO -->
+
+## **Error: an ORDINAL type is not allowed to be used as a type argument** {#r_no_ORDINAL_as_type_parameter}
+<!-- TODO _ this one is misplaced -->
+<!-- %no-check This example does not work TODO -->
+```dafny
+type X<T>
+method m(c: X<ORDINAL>) {
+}
+```
+
+The ORDINAL type corresponds to a mathematical type "larger" than the natural numbers. That is, there
+are ORDINALs that are larger than any `nat`. Logical reasoning with ORDINALs is tricky and
+a bit counter-intuitive at times. For logical implementation reasons, Dafny limits where
+ORDINALs can be used; one restriction is that the ORDINAL type may not be a type argument.
+
+<!-- FILE ./DafnyCore/Resolver/Abstemious.cs -->
+
+## **Error: the value returned by an abstemious function must come from invoking a co-constructor** {#r_abstemious_needs_conconstructor}
+
+```dafny
+codatatype D = A | B
+function {:abstemious} f(): int {0}
+```
+
+<!-- TODO -->
+_Abstemious functions are not documented. Please report occurences of this error message._
+
+## **Error: an abstemious function is allowed to invoke a codatatype destructor only on its parameters** {#r_bad_astemious_destructor}
+
+```dafny
+codatatype EnormousTree<X> = Node(left: EnormousTree, val: X, right: EnormousTree)
+ghost function {:abstemious} BadDestruct(t: EnormousTree): EnormousTree
+{ 
+  Node(t.left, t.val, t.right.right)  // error: cannot destruct t.right
+}   
+```
+
+<!-- TODO -->
+_Abstemious functions are not documented. Please report occurences of this error message._
+
+## **Error: an abstemious function is allowed to codatatype-match only on its parameters** {#r_bad_astemious_nested_match}
+
+```dafny
+codatatype EnormousTree<X> = Node(left: EnormousTree, val: X, right: EnormousTree)
+ghost function {:abstemious} BadMatch(t: EnormousTree): EnormousTree
+{ 
+  match t.right  // error: cannot destruct t.right
+  case Node(a, x, b) =>
+    Node(a, x, b)
+}
+```
+
+<!-- TODO -->
+_Abstemious functions are not documented. Please report occurences of this error message._
+
+## **Error: an abstemious function is allowed to codatatype-match only on its parameters** {#r_bad_astemious_match}
+
+<!-- TODO - need an example of this variation of error message -->
+<!-- TODO -->
+_Abstemious functions are not documented. Please report occurences of this error message._
+
+## **Error: an abstemious function is not allowed to check codatatype equality** {#r_bad_astemious_codatatype_equality}
+
+```dafny
+codatatype D = A | B(i: bool)
+ghost function {:abstemious} f(d: D, e: D): D { B(d == e) }
+```
+
+Abstemious functions have some restrictions. One of these is that an abstemious function
+may not invoke test of equality over codatatypes, even though this is allowed for
+non-abstemious ghost functions.
+See the [reference manual](../DafnyRef/DafnyRef#sec-abstemious) for more information on using abstemious functions.
+
+
+<!-- FILE ./DafnyCore/Resolver/GhostInterestVisitor.cs -->
+
+## **Error: expect statement is not allowed in this context (because this is a ghost method or because the statement is guarded by a specification-only expression)** {#r_expect_statement_is_not_ghost}
+
+<!-- %check-resolve -->
+```dafny
+method m(ghost b: bool)
+{
+  var x := 0;
+  if b { expect x == 0; }
+}
+```
+
+`expect` statements are not allowed in ghost contexts; use an `assert` statement instead.
+Ghost context can be explicitly clear, such as the body of a method or function declared `ghost`.
+But a ghost context can also be implicit, and not so obvious: if part of a statement,
+such as the condition of an if statement or loop or the expression being matched in a match 
+statement, is ghost, then the rest of the statement may be required to be ghost.
+
+## **Error: print statement is not allowed in this context (because this is a ghost method or because the statement is guarded by a specification-only expression)** {#r_print_statement_is_not_ghost}
+
+<!-- %check-resolve -->
+```dafny
+method m(ghost b: bool)
+{
+  if b { print true; }
+}
+```
+
+`print` statements are not allowed in ghost contexts, because they have external effects.
+Ghost context can be explicitly clear, such as the body of a method or function declared `ghost`.
+But a ghost context can also be implicit, and not so obvious: if something ghost is part of a statement,
+such as the condition of an `if` statement or loop or the expression being matched in a match 
+statement, then the rest of the statement may be required to be ghost.
+
+In addition, methods must be marked with the `{:print}` attribute if 
+it has `print` statements or calls methods marked with `{:print}`
+and `--track-print-effects` is enabled.
+[See the reference manual discussion on :print and tracking print effects](../DafnyRef/DafnyRef#sec-print).
+
+## **Error: ghost-context _kind_ statement is not allowed to _kind_ out of non-ghost _target_** {#r_ghost_break}
+
+```dafny
+method m(i: int) {
+  ghost var b: bool := true;
+  label x: while i > 0 {
+    while (b) {
+      break x;
+    }
+  }
+}
+```
+
+A `break` or `continue` statement might be in a ghost loop or block, for example, because the
+condition of the loop is ghost. It then may direct the flow of control to break out of some outer enclosing 
+loop or block or continue an iteration in an enclosing loop. If that enclosing loop or block is
+non-ghost, we have the situation of ghost code affecting the flow of control of non-ghost code.
+Consequently a ghost break or continue statement must have as its target some enclosing ghost
+block or loop. 
+
+## **Error: _kind_ statement is not allowed in this context (because it is guarded by a specification-only expression)** {#r_produce_statement_not_allowed_in_ghost}
+
+```dafny
+method m() {
+  ghost var b: bool := true;
+  if b { return; }
+}
+```
+
+If the condition of a `if` or `match` statement is a ghost expression, then the whole statement is
+considered ghost. And then the statement can contain no substatements that are forbidden to be ghost.
+`return` and `yield` stastements are never ghost, so they cannot appear in a statement whose guarding
+value is ghost.
+
+## **Error: cannot assign to _var_ in a ghost context** {#r_no_assign_to_var_in_ghost}
+
+```dafny
+method m(ghost c: int) 
+{
+  var x := 7;
+  if (c == 1) { x :| x < 8; }
+}
+```
+
+No changes to non-ghost variables may occur in ghost contexts.
+Ghost context can be implicit, such as the branches of an if-statement
+whose condition is a ghost expression.
+
+## **Error: non-ghost _var_ cannot be assigned a value that depends on a ghost** {#r_no_assign_ghost_to_var}
+
+```dafny
+method m(ghost c: int) 
+{
+  var x := 8;
+  x :| x < c;
+}
+```
+
+In a assign-such-that statement, the LHS gets some value that satisfies the boolean expression on the RHS.
+If the LHS is non-ghost, then the RHS must be non-ghost, because non-ghost code may not depend on
+ghost code.
+
+## **Error: assumption variable must be of type 'bool'** {#r_assumption_var_must_be_bool}
+
+```dafny
+method m() {
+  ghost var {:assumption} b: int;
+}
+```
+
+Variables marked with `{:assumption}` must have bool type.
+See [the reference manual](#../DafnyRef/DafnyRef#sec-assumption) for more detail on the use of this attribute.
+
+
+## **Error: assumption variable must be ghost** {#r_assumption_var_must_be_ghost}
+
+```dafny
+method m() {
+  var {:assumption} b: bool;
+}
+```
+
+Variables marked with `{:assumption}` must be ghost.
+See [the reference manual](#../DafnyRef/DafnyRef#sec-assumption) for more detail on the use of this attribute.
+
+
+## **Error: assumption variables can only be declared in a method** {#r_assumption_var_must_be_in_method}
+
+<!-- TODO - not sure this is reachable -->
+
+Variables marked with `{:assumption}` must be declared within methods.
+See [the reference manual](#../DafnyRef/DafnyRef#sec-assumption) for more detail on the use of this attribute.
+
+
+## **Error: in _proof_, calls are allowed only to lemmas** {#r_no_calls_in_proof}
+
+```dafny
+method n() {}
+method m()
+{  
+  var i: int;
+  assert true by {
+    n();
+  }
+}
+```
+
+Proof contexts are blocks of statements that are used to construct a proof.
+Examples are the bodies of lemma, the by-blocks of assert-by statements
+and calc statements. A proof context is a ghost context.
+In ghost context, no methods may be called, even ghost methods.
+Only lemmas may be called.
+
+## **Error: only ghost methods can be called from this context** {#r_only_ghost_calls}
+
+```dafny
+method n() {}
+ghost method m()
+{ 
+  n();
+}
+```
+
+The body of a ghost method is a ghost context. So if there are any
+method calls in that body, they must be ghost.
+Lemmas and ghost functions may also be called.
+
+## **Error: actual out-parameter _parameter_ is required to be a ghost variable** {#r_out_parameter_must_be_ghost}
+
+```dafny
+method n() returns (r: int, ghost s: int) {}
+method m(a: array<int>) returns (r: bool)
+  requires a.Length > 1
+{ 
+  var x: int;
+  var y: int;
+  x, y := n();
+  a[0] := 0;
+}
+```
+
+The method being called returns a ghost value as one of its out-parameters.
+The variable receiving that value is required to be ghost as well.
+Note that out-parameters are numbered beginning with 0.
+
+This message can also arise when the receiving left-hand-side expression
+is an array element (e.g. a[0]). This is not permitted at all because
+arrays are never ghost.
+
+<!-- 2 instances -->
+
+## **Error: actual out-parameter _parameter_ is required to be a ghost field** {#r_out_parameter_must_be_ghost_field}
+
+```dafny
+class A { var a: int }
+method n() returns (r: int, ghost s: int) {}
+method m(a: A) returns (r: bool)
+{ 
+  var x: int;
+  var y: int;
+  x, a.a := n();
+}
+```
+
+The method being called returns a ghost value as one of its out-parameters.
+The left-hand-side expression receiving that value is required to be ghost as well.
+In this case, the LHS expression is a field of an object;
+the field itself must be ghost, not simply the whole object.
+Note that out-parameters are numbered beginning with 0.
+
+
+## **Error: a loop in _context_ is not allowed to use 'modifies' clauses** {#r_loop_may_not_use_modifies}
+
+```dafny
+class A { var a: int }
+method m(aa: A)
+  modifies aa
+{ 
+  assert true by {
+    var i:= 10;
+    while (i > 0) 
+      decreases i
+      modifies aa
+    {
+    i := i - 1;
+    }
+  }
+}
+```
+
+Proof contexts are blocks of statements that are used to construct a proof.
+Examples are the bodies of lemma, the by-blocks of assert-by statements
+and calc statements. A proof context is a ghost context. One of the rules
+for ghost contexts is that nothing on the heap may be modified in ghost context.
+Consequently there is no need for a modifies clause for loops that might
+be used to support the proof in the `by` block.
+
+## **Error: 'decreases *' is not allowed on ghost loops** {#r_decreases_forbidden_on_ghost_loops}
+
+<!-- %check-resolve -->
+```dafny
+method m()
+  decreases *
+{
+  ghost var c := 10;
+  while 0 <= c 
+    invariant 0 <= c <= 10
+    decreases *
+  {
+    c := c - 1;
+  }
+}
+```
+
+A while loop is ghost if its controlling condition is a ghost expression.
+Similarly, a for loop is ghost if the range over which the index variable ranges is ghost.
+Ghost code is meant to aid proofs; for sound proofs any constructs in the ghost code must be terminating.
+Hence, indications of non-terminating loops, that is, `decreases *`, are not permitted.
+
+This does mean that the specifier has to do the work of designing a valid terminating condition and proving it.
+
+<!-- 3 instances -->
+
+## **Error: a loop in _proof_ is not allowed to use 'modifies' clauses** {#r_loop_in_proof_may_not_use_modifies}
+
+<!-- TODO - this example give r_loop_may_not_use_modifies
+<!-- %no-check -->
+```dafny
+class A {  }
+lemma m(j: int, a: A) {
+  var i := j;
+  while (i > 0) 
+    modifies a
+  {
+  }
+}
+```
+-->
+
+A proof context, such as the body of a lemma, is ghost context and thus is not allowed to modify
+anything on the heap. If there is nothing that may be modified, then there is no need for
+a `modifies` clause for a loop. Note that the `modifies` clause does not list any local 
+variables that are changed in a loop in any case.
+
+<!-- 2 instances -->
+
+## **Error: a ghost loop must be terminating; make the end-expression specific or add a 'decreases' clause** {#r_ghost_loop_must_terminate}
+
+<!-- TODO -->
+
+## **Error: _proof_ is not allowed to perform an aggregate heap update** {#r_no_aggregate_heap_update_in_proof}
+
+```dafny
+lemma p(a: array<int>)
+{
+  forall i | 0 <= i < a.Length { a[i] := 0; } 
+}
+```
+
+Proof contexts, such as bodies of lemmas or by-blocks, cannot perform any changes to the heap.
+In particular that disallows assignments to array elements using a `forall` aggregate update.
+
+## **Error: forall statements in non-ghost contexts must be compilable, but Dafny's heuristics can't figure out how to produce or compile a bounded set of values for '_name_'** {#r_unknown_bounds_for_forall}
+
+<!-- TODO ; this might be shadowed by a similar message in ExpressionTester -->
+
+## **Error: a modify statement is not allowed in _proof_** {#r_modify_forbidden_in_proof}
+
+```dafny
+class A {  }
+lemma m(a: A)
+ {
+  modify a;
+}
+```
+
+A proof context, such as the body of a lemma or a `by` block, is ghost context and thus is 
+not allowed to modify anything on the heap. If there is nothing that may be modified, 
+then there is no need for a `modify` statement in such a context.
+
+## **Error: _proof_ is not allowed to use 'new'** {#r_new_forbidden_in_proof}
+
+```dafny
+class A {  }
+lemma m(a: A)
+{
+  var aa := new A;
+}
+```
+
+A proof context, such as the body of a lemma or a `by` block, is ghost context and thus is 
+not allowed to modify anything on the heap. That includes allocating new things in the 
+heap, as a `new` expression does. Typically a proof uses expressions that are value types
+(sequences, sets, maps) to formulate the proof and not heap operations.
+
+## **Error: _proof_ is not allowed to make heap updates** {#r_no_heap_update_in_proof}
+
+```dafny
+class A { ghost var k: int }
+lemma m(a: A)
+{
+  a.k := 9;
+}
+```
+
+An update to a field of a heap object is not allowed in a proof context such as the body of a lemma.
+This is the case even if the field in question is a ghost field of its containing class or trait.
+
+## **Error: assignment to _kind_ is not allowed in this context, because _reason_** {#r_assignment_forbidden_in_context}
+
+```dafny
+class A { var a: int }
+lemma lem(aa: A) {
+  aa.a := 1;
+}
+method m(aa: A) {
+  ghost var b := true;
+  if b { aa.a := 1; }
+}
+```
+
+This message can occur in many program situations: the fault is an assignment to a field in the heap
+that is not permitted because the assignment statement occurs in a ghost context within a generally
+non-ghost environment. A common example is the then or else branch of a `if` statement that is
+deemed a ghost context because the controlling condition for the loop is a ghost expression.
+Similar situations arise for loops and match statements.
+
+## **Error: the result of a ghost constructor can only be assigned to a ghost variable** {#r_assignment_to_ghost_constructor_only_in_ghost}
+
+```dafny
+class A { constructor I() {} ghost constructor Init(i: int) {} }
+method m() returns (a: A)
+{
+  a := new A.Init(23);
+}
+```
+
+Classes may have ghost constructors along with regular, non-ghost constructors.
+However, ghost constructors may only be called in ghost context, including that
+the newly allocated object be assigned to a ghost location (such as a ghost variable). 
+
+
diff --git a/v4.10.0/HowToFAQ/Errors-Resolver2.md b/v4.10.0/HowToFAQ/Errors-Resolver2.md
new file mode 100644
index 0000000..ae80406
--- /dev/null
+++ b/v4.10.0/HowToFAQ/Errors-Resolver2.md
@@ -0,0 +1,192 @@
+
+<!-- %check-resolve %default %useHeadings  -->
+
+<!-- FILE ./DafnyCore/Resolver/TypeConstraint.cs-->
+
+<!-- TODO: collector for other errors? -->
+
+<!-- FILE ./DafnyCore/Resolver/TailRecursion.cs -->
+
+## **Error: tail recursion can be specified only for methods that will be compiled, not for ghost methods**
+
+```dafny
+ghost method {:tailrecursion} m(n: nat) returns (r: nat)
+{ 
+  if n == 0 { r := 0; } else { r := m(n-1); }
+}
+```
+
+Tail-recursion is a compilation optimization that transforms recursive calls into loops.
+So it is only relevant to compiled code; ghost functions and methods need not
+(and may not) specify a `{:tailrecursion}` attribute.
+
+## **Error: sorry, tail-call optimizations are not supported for mutually recursive methods**
+
+```dafny
+method g(n: nat) returns (r: nat) { r := f(n); }
+method {:tailrecursion} f(n: nat) returns (r: nat)
+{ 
+  if n == 0 { r := 0; } else { r := g(n-1); }
+}
+```
+
+Tail-recursion is a compilation optimization that transforms recursive calls into loops.
+However, the implementation currently in the `dafny` tool does not support identifying
+and optimizing tail-recursion opportunities in mutually recursive functions.
+
+## **Error: this recursive call is not recognized as being tail recursive, because it is followed by non-ghost code**
+
+```dafny
+method {:tailrecursion} m(n: nat) returns (r: nat)
+{ 
+  r := m(n-1);
+  r := 0;
+}
+```
+
+Tail-recursion is a compilation optimization that transforms recursive calls into loops.
+As the name somewhat implies, a situation amenable to tail-recursion optimization 
+is one in which the recursive call of the function or method is the last thing that
+happens in the body of the function or method. If other code follows the recursive call,
+the tail-recursion transformation cannot be applied.
+
+
+## **Error: the recursive call to '_name_' is not tail recursive, because the assignment of the LHS happens after the call**
+
+<!-- TODO -->
+
+## **Error: a recursive call inside a loop is not recognized as being a tail call**
+
+```dafny
+method {:tailrecursion} m(n: nat) returns (r: nat)
+{ 
+  while n > 0 { r := m(n-1); }
+}
+```
+
+Tail-recursion is a compilation optimization that transforms recursive calls into loops.
+As the name somewhat implies, a situation amenable to tail-recursion optimization 
+is one in which the recursive call of the function or method is the last thing that
+happens in the body of the function or method. That is certainly not the case for calls
+within loops, so such calls may not be attributed with `{:tailrecursion}`.
+
+<!-- 2 instances -->
+
+## **Error: a recursive call inside a forall statement is not a tail call**
+
+<!-- TODO -->
+
+## **Error: a recursive call in this context is not recognized as a tail call**
+
+<!-- TODO -->
+
+## **Error: the recursive call to '_name_' is not tail recursive because the actual out-parameter is not the formal out-parameter _formal_**
+
+```dafny
+method {:tailrecursion} m(n: nat) returns (r: nat)
+{ 
+  var x := m(n-1);
+}
+```
+
+Tail-recursion is a compilation optimization that transforms recursive calls into loops.
+Part of the pattern that is amenable to this optimization is that the last thing happening 
+in the body of a recursive method (or function) is a call of the recursive function with the
+value returned being assigned to the out-parameter.
+
+## **Error: the recursive call to '_name_' is not tail recursive because the actual out-parameter _out_ is not the formal out-parameter _formal_**
+
+```dafny
+method {:tailrecursion} m(n: nat) returns (r: nat, s: nat)
+{ 
+  var x, y := m(n-1);
+}
+```
+
+Tail-recursion is a compilation optimization that transforms recursive calls into loops.
+Part of the pattern that is amenable to this optimization is that the last thing happening 
+in the body of a recursive method (or function) is a call of the recursive function with the
+value returned being assigned to the out-parameter.
+
+## **Error: the recursive call to '_name_' is not tail recursive because the actual type argument _typeparam_ is not the formal type parameter '_formal_'**
+
+```dafny
+method {:tailrecursion} m<T,U>(n: nat) returns (r: nat)
+{ 
+  if n == 0 { return 0; } else { r := m<U,U>(n-1); }
+}
+```
+
+If the method that is marked for tail-recursion has type parameters, then the recursive 
+calls of that method must have the same type parameters, in the same order.
+Note that type parameter positions start from 0.
+
+
+## **Error: tail recursion can be specified only for functions that will be compiled, not for ghost functions**
+
+<!-- %check-resolve %options --function-syntax:4 -->
+```dafny
+ghost function {:tailrecursion} f(n: nat): int
+{ 
+  if n == 0 then 0 else f(n-1)
+}
+```
+
+Tail-recursion is a compilation optimization that transforms recursive calls into loops.
+So it is only relevant to compiled code; ghost functions and methods need not
+(and may not) specify a `{:tailrecursion}` attribute.
+
+## **Error: sorry, tail-call optimizations are not supported for mutually recursive functions**
+
+<!-- %check-resolve %options --function-syntax:4 -->
+```dafny
+function g(n: nat): nat { f(n) }
+function {:tailrecursion} f(n: nat): nat
+{ 
+  if n == 0 then 0 else g(n-1)
+}
+```
+
+Tail-recursion is a compilation optimization that transforms recursive calls into loops.
+However, the implementation currently in the `dafny` tool does not support identifying
+and optimizing tail-recursion opportunities in mutually recursive functions.
+
+## **Error: if-then-else branches have different accumulator needs for tail recursion**
+
+<!-- TODO -->
+
+## **Error: cases have different accumulator needs for tail recursion**
+
+<!-- TODO -->
+
+<!-- 2 instances -->
+
+
+## **Error: to be tail recursive, every use of this function must be part of a tail call or a simple accumulating tail call**
+
+<!-- %check-resolve %options --function-syntax:4 -->
+```dafny
+function {:tailrecursion} f(n: nat): nat
+{
+  if n == 0 then n else var r := f(n-1); r
+}
+```
+
+<!-- %check-resolve %options --function-syntax:4 -->
+```dafny
+function {:tailrecursion} f(n: nat): nat
+{
+  if n < 2 then n else f(n-2)+f(n-1)
+}
+```
+
+Tail-recursion is a compilation optimization that transforms recursive calls into loops.
+The Dafny compiler analyzes the code for recognizable, not too complex patterns.
+One complexity that defies analysis is too many calls of the same recursive function;
+another is using the function as a value, rather than in a function call.
+
+
+<!-- FILE ./DafnyCore/Resolver/Resolver.cs -->
+
+<!-- TODO Lots -->
+
diff --git a/v4.10.0/HowToFAQ/Errors-Resolver3.md b/v4.10.0/HowToFAQ/Errors-Resolver3.md
new file mode 100644
index 0000000..561389d
--- /dev/null
+++ b/v4.10.0/HowToFAQ/Errors-Resolver3.md
@@ -0,0 +1,768 @@
+
+<!-- %check-resolve %default %useHeadings -->
+
+<!-- FILE ./DafnyCore/Resolver/NameResolutionAndTypeInference.cs -->
+
+## **Error: newtypes must be based on some numeric type (got _type_)**
+
+```dafny
+datatype D = A | B
+newtype T = D
+```
+
+In the current definition of the Dafny language, newtypes may only be 
+based on numeric types: int and real and subtypes and newtypes based on them.
+This may change in the future.
+
+## **Error: newtype constraint must be of type bool (instead got _type_)**
+
+```dafny
+newtype T = i: int | i 
+```
+
+The expression after the vertical bar must be a boolean condition.
+The values of the basetype that satisfy this condition are the members 
+of the newtype. This is different than, say, a set comprehension like
+`set i: int :: i*2` where the expression after the `::` gives the elements
+of the set directly.
+
+## **Error: subset-type constraint must be of type bool (instead got _type_)**
+
+```dafny
+type T = i: int | i
+```
+
+The expression after the vertical bar must be a boolean condition.
+The values of the basetype that satisfy this condition are the members 
+of the subset type. This is different than, say, a set comprehension like
+`set i: int :: i*2` where the expression after the `::` gives the elements
+of the set directly.
+
+## **Error: witness expression must have type '_type_' (got '_type_')**
+
+```dafny
+type T = i: int | 100 < i < 102 witness true
+```
+
+In some definitions of subset types or newtypes, Dafny needs an example value
+to know that the type is not empty. That value is called a `witness` and 
+is a specific value that can be proved to be a member of the type.
+Since it is a member of the newly defined type, and hence of the basetype,
+the witness may not be an expression of some different type.
+
+<!-- 2 instances -->
+
+## **Error: the argument of a unary minus must have numeric or bitvector type (instead got _type_)**
+
+```dafny
+datatype D = A | B
+const d := A
+const x := -d
+```
+
+The unary - (negation) operator acts only on `int`, `real`, and bitvector values
+and values of types based on those types.
+
+## **Error: type of 'null' is a reference type, but it is used as _type_**
+
+```dafny
+const i: int := null
+```
+
+`null` is a literal value (like `true` and `1`) whose type is a reference type.
+So it can only be used in contexts that can accept a reference value, such as
+assignment to a variable of nullable reference type. Primitive types like
+`boolean`, `int`, `real`, `char`, `string`, and datatypes do not have any
+value `null` (and there are no types like `string?` or `D?` for a datatype `D`).
+
+## **Error: integer literal used as if it had type _type_**
+
+<!-- TODO -->
+_This error is not yet documented._
+
+## **Error: real literal used as if it had type _type_**
+
+<!-- TODO -->
+_This error is not yet documented._
+
+## **Error: 'this' is not allowed in a 'static' context**
+
+```dafny
+class A {}
+method m() {
+  var a: A := this;
+}
+```
+
+As in some other programming languages, `this` in Dafny refers to the object that contains 
+the method in which the identifier `this` is used. However, the containing object is
+an implicit argument to a method only if it is an _instance_ method, not if it is a
+_static_ method; so `this` cannot be used in static methods.
+
+A method in a class is instance by default and static only if it is explicitly
+declared so. A method declared at the top-level or as a direct member of a 
+module is implicitly static (and cannot be instance). 
+
+## **Error: Identifier does not denote a local variable, parameter, or bound variable: _name_**
+
+<!-- TODO -->
+_This error message is not yet documented._
+
+## **Error: Undeclared datatype: _type_**
+
+<!-- TODO - may not be reachable -->
+_This error message is not yet documented. Please report any source code that provokes it._
+
+## **Error: The name _type_ ambiguously refers to a type in one of the modules _modules_ (try qualifying the type name with the module name)**
+
+```dafny
+module M { type T }
+module N { type T }
+
+import opened M
+import opened N
+const t: T
+
+```
+
+The stated type name has more than one declaration in scope, likely because both have been imported
+with `opened`. In that case the name must be qualified to indicate which declaration is intended.
+
+## **Error: Expected datatype: _type_**
+
+<!-- TODO - may not be reachable -->
+_This error message is not yet documented. Please report any source code that provokes it._
+
+## **Error: All elements of display must have some common supertype (got _type_, but needed type or type of previous elements is _type_)**
+
+```dafny
+const d := [4.0, 6]
+```
+
+## **Error: All domain elements of map display must have some common supertype (got _type_, but needed type or type of previous elements is _type_)**
+
+```dafny
+const d := map[2 := 3, 4.0 := 6]
+```
+
+A map display associates a number of domain values with corresponding range values using the syntax _domain value_ := _range value_. 
+All the domain values must have the same type or a common supertype.
+
+## **Error: All range elements of map display must have some common supertype (got _type_, but needed type or type of previous elements is _type_)**
+
+```dafny
+const d := map[2 := 3, 4 := 6.0 ]
+```
+
+A map display associates a number of domain values with corresponding range values using the syntax _domain value_ := _range value_. 
+All the range values must have the same type or a common supertype.
+
+## **Error: name of module (_name_) is used as a variable**
+
+```dafny
+module M {}
+const c := M
+```
+
+All names in Dafny (except for names of export sets) are in one namespace. Names in different 
+scopes can be distinguished by qualification. Names can also be redeclared in a nested scope
+with different properties. But if a name is visible, it must be used consistent with its
+declaration. So a name declared as a module cannot be used as a variable, even though it is 
+usually clear from context where module names are used and where expressions are used.
+
+
+<!-- 2 instances -->
+
+## **Error: name of type (_type_) is used as a variable**
+
+```dafny
+type t = int
+method m(i: int) {
+  t := i;
+}
+```
+
+All names in Dafny (except for names of export sets) are in one namespace. Names in different 
+scopes can be distinguished by qualification. Names can also be redeclared in a nested scope
+with different properties. But if a name is visible, it must be used consistent with its
+declaration. So a name declared as a type cannot be used as a variable, even though it is 
+usually clear from context where type names are used and where expressions are used.
+
+<!-- 2 instances -->
+
+## **Error: a two-state function can be used only in a two-state context**
+
+<!-- %no-check TODO - fix - incorrect error message for this example -->
+```dafny
+module M {
+  twostate function f(): int
+}
+const c := M.f()
+```
+
+A `twostate` function is a function of two different heaps.
+Accordingly it can be used only in situations in which there are two states
+in play (that is, a _two-state_ context).  One example is in a postcondition
+(_ensures_ clause) where the two states are the states at the beginning and end 
+of the method execution. Another two-state context is the body of a method, 
+where the states are the pre-state of the method and the current state at the
+location of the call. However, contexts outside of a method, such as initializations 
+of const declarations, are not two-state contexts.
+
+## **Error: a field must be selected via an object, not just a class name**
+
+<!-- TODO - may not be reachable -->
+_This error message is not yet documented. Please report any source code that provokes it._
+
+## **Error: member _name_ in type _type_ does not refer to a field or a function**
+
+<!-- TODO - may not be reachable -->
+_This error message is not yet documented. Please report any source code that provokes it._
+
+## **Error: array selection requires an array_n_ (got _type_)**
+
+```dafny
+const a: int
+const x: ORDINAL
+method m() 
+{  
+  var c := a[0,0];
+}
+```
+
+The `a[1,2,3]` syntax denotes the selection of an array element of a multi-dimensional array.
+So the expression prior to the '[' must have array type with a number of dimensions that
+matches the number of index expressions between the left and right brackets.	
+
+## **Error: array selection requires integer- or bitvector-based numeric indices (got _type_ for index _i_)**
+
+```dafny
+const a: array2<int>
+const c := a['c',0]
+```
+
+Multi-dimensional arrays are selected only by integer or bit-vector values.
+There is no implicit conversion from characters or reals.
+A value of ORDINAL type may be used if it can be proved that the value is
+less than the length of the array dimension.
+Note that the 'index' in the error message is counted from 0.
+
+## **Error: update requires a sequence, map, or multiset (got _type_)**
+
+```dafny
+method m(i: int, s: seq<int>) 
+  requires |s| > 100
+{
+  var ss := i[1 := 10];
+}
+```
+
+The update syntax provides a way to produce a slightly modified sequence, multiset, or map:
+if `s` is a `seq<int>`, then `s[1 := 10]` is a `seq<int>` with the same values at the same positions
+as `s`, except that the value at position 1 is now 10. It is important to understand that
+these are _value_ types; the original value of `s` is unchanged; rather a new value is
+produced as a result of the update expression.
+ 
+## **Error: datatype update expression requires a root expression of a datatype (got _type_)**
+
+```dafny
+method m(a: int) 
+{  
+var c := a.(x := 0);
+}
+```
+
+The `.(` syntax indicates a _datatype update expression_. The expression before the `.(`
+should be a value of some datatype, but Dafny's type inference found it to be something else.
+
+## **Error: non-function expression (of type _type_) is called with parameters**
+
+```dafny
+method m(i: int) 
+{
+  var k := i(9);
+}
+```
+
+The syntax `f(a,b,c)` is an example of a call of a function or method `f`, with, in this case,
+three actual arguments, which must correespond to the formal arguments in the definition of `f`.
+This syntax is only legal in an expression if the expression prior to the left parenthesis is a function,
+and not something else. It need not be just an identifier; it could be a expression, such
+as a lambda expression: `((f:int)=>42)(1)`.
+
+## **Error: wrong number of arguments for function application (function type '_type_' expects _number_, got _number_)**
+
+<!-- %no-check TODO - fix - different error message for this example -->
+```dafny
+function f(): int { 0 }
+const k := f(1,2);
+```
+
+This message indicates that in some function call the number of actual arguments does
+not match the number of formal parameters (as given in the function definition).
+Usually the actuals and formals must match exactly, but Dafny does allow
+for optional and named arguments with default values. In those cases, the number of actual
+arguments may be less than the number of formal parameters. 
+(cf. [Parameter Bindings in Reference Manual](../Dafny/Dafny#sec-parameter-bindings))
+
+## **Error: type mismatch for argument _i_ (function expects _type_, got _type_)**
+
+<!-- TODO - may not be reachable -->
+_This error message is not yet documented. Please report any source code that provokes it._
+
+## **Error: sequence construction must use an integer-based expression for the sequence size (got _type_)**
+
+```dafny
+const s := seq(true, i=>i)
+```
+
+The `seq(10, i=>i)` kind of sequence constructor creates a sequence whose size is the value of the first
+argument and whose elements are filled by applying the given function to the appropriate number of 
+`nat` values (beginning with 0). Accordingly the first argument must be a `nat` and the second a function
+from `nat` to values of the element type of the sequence.
+
+## **Error: sequence-construction initializer expression expected to have type '_type_' (instead got '_type_')_hint_**
+
+```dafny
+const s := seq(10, 20)
+```
+
+The `seq(10, i=>i)` kind of sequence constructor creates a sequence whose size is the value of the first
+argument and whose elements are filled by applying the given function to the appropriate number of 
+`nat` values (beginning with 0). Accordingly the first argument must be a `nat` and the second a function
+from `nat` to values of the element type of the sequence.
+
+## **Error: can only form a multiset from a seq or set (got _type_)**
+
+```dafny
+const m:= multiset(42)
+```
+
+The `multiset` function converts a seq or set to a multiset of the same element type. 
+So the argument must be one of those types, and not, say an `int` value.
+
+## **Error: the argument of a fresh expression must denote an object or a set or sequence of objects (instead got _type_)**
+
+```dafny
+method m() {
+  var i: int;
+  assert fresh(i);
+}
+```
+
+The result of the `fresh` predicate is true if the argument has been allocated since the pre-state of the 
+two-state context containing the call. Thus the argument must be of a type that is allocatable,
+such as a class type --- but not value types like `bool` or `int` or datatypes. The argument may also be
+a set or sequence of such allocatable objects.
+
+## **Error: logical/bitwise negation expects a boolean or bitvector argument (instead got _type_)**
+
+```dafny
+const x := !1
+```
+
+The logical negation operator (`!`) applies to `bool` and bitvector values, but not to, for example,
+`int` values without an explicit conversion. In particular there is no conversion between 0 and false
+or 1 and true.
+
+## **Error: size operator expects a collection argument (instead got _type_)**
+
+```dafny
+method m(x: array<int>) {
+  var y: int := |x|;
+}
+```
+
+The |...| operator is the _size_ operator and returns the integer that is the size of its argument.
+Only finite collections (of type `seq`, `set`, `multiset`, `map`) may be the argument of the
+size operator -- not arrays, `iset`, or `imap`.
+
+## **Error: a _what_ definition is not allowed to depend on the set of allocated references**
+
+```dafny
+class B {}
+const bbb: B
+predicate p() { allocated(bbb) }
+```
+
+A function is allowed to depend on the heap, as if the heap were an implicit parameter to the function. 
+Any such dependence on mutable fields must be declared in the function’s reads clause. 
+Dafny enforces that a function’s definition (which includes its body and its requires and reads clauses, 
+but not any of its ensures and decreases clauses) adheres to its reads clause.
+The purpose of the reads clause is to let you determine when the function’s value may have changed. 
+If you invoke F(x) twice on the same parameter x, then you expect to get the same value. 
+But since the heap is an implicit parameter of the function, will F(x) still give the same value if the heap is changed between the two invocations? 
+The reads clause helps answer this question. Suppose the function’s reads clause denotes a set of objects R. 
+Then, as long as the fields of the objects in R are the same for the two invocations of F(x), the two invocations will give the same value.
+Part of this rule is also that the function is not allowed to depend on the “allocation set”, that is, the set of objects that are currently allocated. 
+This is convenient, because a method is always allowed to enlarge the allocation set. 
+As an example, consider a function F(x) with an empty reads clause and a method M() with an empty modifies clause. 
+From this, Dafny allows you to prove the assertion in the following code:
+<!-- %no-check -->
+```dafny
+var tmp := F(x);
+M();
+assert tmp == F(x);
+```
+
+The non-dependence on the allocation set is checked syntactically by the resolver and the reads clause is enforced by the verifier.
+Although it would be possible to extend Dafny's logic so that functions could depend on the allocation set, this is
+at present not implemented.
+
+## **Error: type conversion to an int-based type is allowed only from numeric and bitvector types, char, and ORDINAL (got _type_)**
+
+```dafny
+const x: int := true as int
+```
+
+Not all pairs of types have implicit or even explicit conversions. But there are conversions
+to int types from numeric types, including the ORDINAL type; for any source type, the value of 
+the numeric expression must be in the range for the int type (if it is a subset type or a newtype).
+Even `char` values have an integer representation (and thus a representation as an `int`) 
+corresponding to their unicode value.
+
+## **Error: type conversion to a real-based type is allowed only from numeric and bitvector types, char, and ORDINAL (got _type_)**
+
+```dafny
+const x: real := true as real
+```
+
+Not all pairs of types have implicit or even explicit conversions. But there are conversions
+to real types from numeric types, including the ORDINAL type; for any source type, the value of 
+the numeric expression must be in the range for the real type (if it is a subset type or a newtype).
+Even `char` values have an real representation corresponding to their (integer) unicode value.
+
+
+## **Error: type conversion to a bitvector-based type is allowed only from numeric and bitvector types, char, and ORDINAL (got _type_)**
+
+```dafny
+const x: bv1 := true as bv1
+```
+
+Not all pairs of types have implicit or even explicit conversions. But there are explicit conversions
+to bitvector types from numeric types, including the ORDINAL type; for any source type, the value of 
+the numeric expression must be in the range for the bitvector type. Even `char` values have a
+bitvector representation corresponding to their (integer) unicode value.
+
+## **Error: type conversion to a char type is allowed only from numeric and bitvector types, char, and ORDINAL (got _type_)**
+
+```dafny
+const x: char := true as char
+```
+
+Not all pairs of types have implicit or even explicit conversions. But there are explicit conversions
+to the char type from numeric types, including the ORDINAL type; for any source type, the value of 
+the numeric expression must be in the range for the char type. The numeric values for a given
+`char` is its numeric unicode representation, which (for `--unicode-char=true`) is in the range 
+0 to 0x10FFFF, inclusive, though there are some sub-ranges that are not valid unicode characters.
+
+## **Error: type conversion to an ORDINAL type is allowed only from numeric and bitvector types, char, and ORDINAL (got _type_)**
+
+```dafny
+const x: ORDINAL := true as ORDINAL
+```
+
+Not all pairs of types have implicit or even explicit conversions. But there are explicit conversions
+to the ORDINAL type from numeric types. Even `char` values have an integer representation and 
+ORDINAL value corresponding to their unicode value.
+
+## **Error: type cast to reference type '_type_' must be from an expression assignable to it (got '_type_')**
+
+```dafny
+method m(i: int) {
+  var x := i as object;
+}
+```
+
+The Dafny `as` is a type cast. But Dafny only allows such casts (or checks with `is`) between types that could possibly 
+be cast from one to the other. In this case, something that is not a reference type is attempting to be cast
+to a type that is a reference type.
+
+## **Error: type conversions are not supported to this type (got _type_)**
+
+```dafny
+datatype D = A | B
+const c := 0 as D
+```
+
+The `as` operator is the type conversion operator. But it is only allowed between an expression and a type if it
+is syntactically possible for the value to be converted to the type. Some types, such as datatypes,
+have no conversions to or from other types. Type conversions from a value of a datatype to some other type are
+always identity functions and are not allowed to be written.
+
+## **Error: type test for type '_type_' must be from an expression assignable to it (got '_type_')**
+
+```dafny
+datatype D = A | B
+const c := 0 is D
+```
+
+The `is` operator is the type test operator. It asks whether the expression on the left is a value of the
+type on the right. It might be used to see if a value of a trait type is actually a value of some class
+derived from that trait, or whether a `int` value is actually a value of some int-based subtype.
+However, the `is` operator is not allowed to be used in cases where the type of the expression on the left
+means that the expression could never be a value of the type on the right. For example a
+class value could never be converted to a datatype value, so an `is` between a reference expression and
+a datatype type is not allowed.
+
+## **Error: first argument to _op_ must be of type bool (instead got _type_)**
+
+```dafny
+const b := true
+const i := 4
+const c := i || b
+```
+
+The logical operators `||`, `&&`, `==>`, `<==`, `<==>` take only `bool` arguments.
+Dafny does not have any implicit conversion to or from `bool` values.
+
+## **Error: second argument to _op_ must be of type bool (instead got _type_)**
+
+```dafny
+const b := true
+const i := 4
+const c := b ==> i
+```
+
+The logical operators `||`, `&&`, `==>`, `<==`, `<==>` take only `bool` arguments.
+Dafny does not have any implicit conversion to or from `bool` values.
+
+## **Error: range of quantified variable must be of type bool (instead got _type_)**
+
+```dafny
+function f(i: set<int>): set<int> { set k: int <- i |  true || k  }
+```
+
+In a quantification using the `<-` syntax, the type of the quantified variable is
+determined by its explicit declaration or by the type of the elements of the container
+(the right-hand operand). If the quantified variable is used as a `bool` value
+when it is not a `bool`, this error message occurs.
+
+## **Error: arguments must have comparable types (got _type_ and _type_)**
+
+```dafny
+datatype D = D()
+const z := 0 == D()
+```
+
+All types have `==` and `!=` operations between two elements of the same type.
+And in cases of subtypes and bit-vector types there may be implicit conversions
+that allow members of two different but related types to be compared.
+But dissimilar types cannot be compared.
+
+## **Error: arguments to _op_ must have a common supertype (got _type_ and _type_)**
+
+```dafny
+predicate m(x: int, s: set<int>)  { s !! x }
+```
+
+The `!!` operator takes sets as operands. The complaint here is likely that one of the operands is not a set.
+
+<!-- 2 instances -->
+
+## **Error: arguments must be of a set or multiset type (got _type_)**
+
+```dafny
+const z := 1 !! 2
+```
+
+The `!!` operator denotes disjointness of sets.
+It is only permitted between sets or multisets of the same element type.
+
+## **Error: arguments to rank comparison must be datatypes (got _type_ and _type_)**
+
+```dafny
+datatype D = D()
+class A {}
+method m(a: D, b: A) {
+  assert a < b;
+  assert a > b;
+}
+```
+
+The `<` and `>` operators are used for traditional numeric comparison, 
+comparison of prefixes in sequences (just `<`),
+subset relations among sets,
+and for rank (structural depth) comparisons between values of the same datatype.
+When used for rank comparison, both operands must be values of the same datatype.
+
+## **Error: arguments to _expr_ must have a common supertype (got _type_ and _type_)**
+
+```dafny
+const x: ORDINAL
+const y: int
+const z := y < x 
+const w := y >= x 
+```
+
+For binary operators, the two operands must be able to be implicitly converted to the same supertype.
+For example, two different int-based subtypes would be converted to int, or two values of different
+classes that extend the same trait could be converted to values of that trait.
+Where Dafny cannot determine such a common supertype, the comparison is illegal and this error message results.
+
+## **Error: arguments to _op_ must be of a numeric type, bitvector type, ORDINAL, char, a sequence type, or a set-like type (instead got _type_ and _type_)**
+
+```dafny
+const x: map<int,int>
+const z := x < x 
+```
+
+The `<`, `<=`, `>=`, and `>` operators are used for traditional numeric comparison, 
+comparison of prefixes in sequences (just `<`),
+and subset relations among sets.
+But they are not used for comparing maps or reference values.
+
+<!-- 2 instances -->
+
+## **Error: type of _op_ must be a bitvector type (instead got _type_)**
+
+```dafny
+const z :=  0 << 1
+```
+
+The `<<` and `>>` operators are left- and right-shift operations. 
+They shift a bit-vector value by a given integer number of bits.
+The left-hand operand must be a value of a bit-vector type.
+Even int literals are not implicitly converted to bitvectors 
+(because Dafny would not know which bit-vector type to use).
+An explicit conversion is required.
+
+## **Error: type of left argument to _op_ (_type_) must agree with the result type (_type_)**
+
+<!-- TODO - this is about << and >> operators -- not sure it is reachable -->
+
+## **Error: type of right argument to _op_ (_type_) must be an integer-numeric or bitvector type**
+
+```dafny
+const z :=  (1 as bv4) << true
+```
+
+The `<<` and `>>` operators are left- and right-shift operations. 
+They shift a bit-vector value by a given integer number of bits.
+The right-hand operand must be an integer value,
+but its type may be an int-based type (such as a subtype) or
+a bit-vector type.
+
+## **Error: type of + must be of a numeric type, a bitvector type, ORDINAL, char, a sequence type, or a set-like or map-like type (instead got _type_)**
+
+```dafny
+datatype D = D()
+const z := D() + D()
+```
+
+The `+` operand in Dafny is used for traditional numeric addition, for concatenation of sequences, and for unions.
+But not for all types. There is no `+` for datatypes or references, for example.
+
+## **Error: type of left argument to + (_type_) must agree with the result type (_type_)**
+
+```dafny
+const z := 0 + {1}
+```
+
+Though the `+` operand applies to many of Dafny's types, the left- and right- operand need to be
+the same type or convertible to the same type. For example, there is no conversion from a type to a 
+collection of that type.
+
+## **Error: type of right argument to + (_type_) must agree with the result type (_type_)**
+
+```dafny
+const z := {1} + 0
+```
+
+Though the `+` operand applies to many of Dafny's types, the left- and right- operand need to be
+the same type or convertible to the same type. For example, there is no conversion from a type to a 
+collection of that type.
+
+## **Error: type of - must be of a numeric type, bitvector type, ORDINAL, char, or a set-like or map-like type (instead got _type_)**
+
+```dafny
+datatype D = D()
+const z := D() - D()
+```
+
+The `-` operand in Dafny is used for traditional numeric subtraction, for set difference,
+and key removal from maps.
+But not for all types. There is no `-` for datatypes or references, for example.
+
+
+## **Error: type of left argument to - (_type_) must agree with the result type (_type_)**
+
+```dafny
+const z := 0 - {1}
+```
+
+Though the `-` operand applies the many of Dafny's types, the left- and right- operand need to be
+the same type or convertible to the same type. For example, there is no conversion from a type to a 
+collection of that type.
+
+## **Error: map subtraction expects right-hand operand to have type _type_ (instead got _type_)**
+
+```dafny
+function f(mx: map<int,int>, my: map<int,int>): map<int,int> { mx - my }
+```
+
+The map subtraction operator takes a map and a set as operands; 
+the set denotes those elements of the map's _domain_ that are removed.
+
+## **Error: type of right argument to - (_type_) must agree with the result type (_type_)**
+
+```dafny
+const z := {1} - 0
+```
+
+Though the `-` operand applies to many of Dafny's types, the left- and right- operand need to be
+the same type or convertible to the same type. For example, there is no conversion from a type to a 
+collection of that type.
+
+
+## **Error: type of * must be of a numeric type, bitvector type, or a set-like type (instead got _type_)**
+
+```dafny
+function ff(j: map<int,int>): map<int,int> { j * j }
+```
+
+The `*` operator is defined to either multiply numeric vales or take the interesection of sets and multisets.
+
+## **Error: type of left argument to * (_type_) must agree with the result type (_type_)**
+
+<!-- TODO -->
+
+## **Error: type of right argument to * (_type_) must agree with the result type (_type_)**
+
+```dafny
+function ff(i: int, j: real): real { j * i }
+```
+
+The types of the two arguments of `*` must be the same (or implicitly convertible to be the same).
+Typically the result of the expression is determined by the left operand.
+This message then is stating that the right operand has a different type.
+
+
+## **Error: second argument to _op_ must be a set, multiset, or sequence with elements of type _type_, or a map with domain _type_ (instead got _type_)**
+
+```dafny
+function ff(i: int, j: real): bool { i in j }
+```
+
+The operators `in` and `!in` test membership of a value in a container,
+so the right-hand operand must be a container of some sort.
+It may also be a map, in which case membership in the map's domain is checked, but this use
+is deprecated in favor of `i in m.Keys`,
+
+## **Error: domain of quantified variable must be a set, multiset, or sequence with elements of type _type_, or a map with domain _type_ (instead got _type_)**
+
+```dafny
+function f(i: int): set<bool> { set k <- i |  k }
+```
+
+The syntax `k <- i` means that `k` is a quantified variable whose domain is all the elements of the container `i`.
+So the type of `i` must be a container, such as a set, in which case the type of `k` is the type of elements of the container.
+If the right-hand operand is a `map`, then `k` has the type of the domain of the map.
+
+<!-- up to line 840 -->
+
+
+
+
+
+
diff --git a/v4.10.0/HowToFAQ/Errors-Rewriter.md b/v4.10.0/HowToFAQ/Errors-Rewriter.md
new file mode 100644
index 0000000..db940c9
--- /dev/null
+++ b/v4.10.0/HowToFAQ/Errors-Rewriter.md
@@ -0,0 +1,356 @@
+
+<!-- %check-resolve %default %useHeadings %check-ids -->
+
+<!-- FILE ./DafnyCore/Rewriters/TimeLimitRewriter.cs -->
+
+## **Warning: timeLimitMultiplier annotation overrides timeLimit annotation** {#rw_timelimit_multiplier}
+
+<!-- %check-resolve-warn -->
+```dafny
+method {:timeLimitMultiplier 10} {:timeLimit 5} m() {}
+```
+
+The {:timeLimitMultiplier n} attribute tells the prover to use a time limit that is the given number
+times the time limit otherwise specified by the options. The {:timeLimit n} attribute simply sets a new
+value for the time limit. It does not make sense to have both attributes on the same declaration. 
+One or the other should be removed. If they are both present, just the {:timeLimitMultiplier} is used.
+
+<!-- ./DafnyCore/Rewriters/LocalLinter.cs -->
+
+## **Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect** {#rw_old_argument_not_on_heap}
+
+<!-- %check-resolve-warn -->
+```dafny
+method m(i: int) 
+{
+   var j: int;
+   j := 1;
+   label L:
+   j := 2;
+   ghost var k := old@L(j);   
+}
+```
+
+The `old` function, used in specifications and ghost code, indicates that the argument (an expression) 
+is to be evaluated in some previous heap state. So if the argument does not depend on the heap, the `old` 
+has no effect and is likely to lead to misunderstanding. Consequently, Dafny warns against doing so.
+For example, it has no effect to apply `old` to a local variable; instead one should capture
+the value of the local variable in a previous state using an otherwise unused ghost variable.
+
+## **Warning: You have written an assert statement with a negated condition, but the lack of whitespace between 'assert' and '!' suggests you may be used to Rust and have accidentally negated the asserted condition. If you did not intend the negation, remove the '!' and the parentheses; if you do want the negation, please add a space between the 'assert' and '!'.** {#rw_warn_negated_assertion}
+
+<!-- %check-resolve-warn -->
+```dafny
+method m() {
+  assert!(1 == 1);
+}
+```
+
+This message warns about a common syntax error for people familiar with Rust. 
+In Rust `assert! e` indicates checking that expression `e` holds. But in Dafny the `!` negates the expression.
+That is `assert! e` is `assert !e` in Dafny. The syntactic solution to avoid the warning is to either put space 
+between the `assert` and `!` (if the negation is intended) or to omit the `!` (if the negation is not intended).
+
+<!-- FILE ./DafnyCore/Rewriters/InductionRewriter.cs-->
+
+## **Warning: _item_s given as :induction arguments must be given in the same order as in the quantifier; ignoring attribute** {#rw_induction_arguments_quantifier_mismatch}
+
+<!-- %check-resolve-warn -->
+```dafny
+predicate g(i: int, j: int)
+function f(): int
+  ensures forall i: int, j: int {:induction j,i} | true :: g(i,j)
+{ 0 }
+```
+
+The `{:induction}` attribute gives some guidance to the prover as to how to construct the induction argument that 
+proves the lemma. The heuristics that infer an induction proof require that the arguments of the attribute be in the
+same order as the bound variables of the quantifier. If not, the :induction attribute is ignored.
+
+## **Warning: lemma parameters given as :induction arguments must be given in the same order as in the lemma; ignoring attribute** {#rw_induction_arguments_lemma_mismatch}
+
+<!-- TODO - not sure this is reachable -->
+
+The `{:induction}` attribute gives some guidance to the prover as to how to construct the induction argument that 
+proves the lemma. The heuristics that infer an induction proof require that the arguments of the attribute be in the
+same order as the parameters of the lemma. If not, the :induction attribute is ignored.
+
+## **Warning: invalid :induction attribute argument; expected _what_; ignoring attribute** {#rw_invalid_induction_attribute}
+
+<!-- %check-resolve-warn -->
+```dafny
+const c := 0
+lemma {:induction 42} m(i: int, j: int) ensures i + j == j + i {} 
+```
+
+The arguments of the `:induction` attribute can be any of the lemma parameters (for a lemma)
+or bound quantifiers (for a quantifier expression), the `this` keyword, or true or false.
+
+<!-- FILE ./DafnyCore/Rewriters/ConstructorWarning.cs -->
+
+## **Warning: Constructor name '_pattern_' should be followed by parentheses** {#rw_warn_constructor_parentheses}
+
+<!-- %check-resolve-warn %options --warn-missing-constructor-parentheses -->
+```dafny
+datatype D = A | B
+
+method m(d: D) {
+  match d {
+    case A => return;
+    case B() => return;
+  }
+}
+```
+
+The pattern following a `case` keyword can be a constructor possibly without arguments or it can be 
+new variable to be bound to the match expression. A parameter-less constructor may be written
+without parentheses. A simple identifier that happens to be a constructor of right type 
+will be matched in preference as the constructor.
+
+This can lead to surprises if there is a matching constructor that the writer or the reader of the
+software is unaware of. So it is useful to always write constructors with parentheses, to visually
+distinguish them from simple identifiers.
+
+The `--warn-missing-constructor-parentheses` option will warn if a constructor is used without
+parentheses. The solution is to either add parentheses (if a constructor is intended) or
+rename the identifier (if a fresh bound identifier is intended).
+
+<!-- FILE ./DafnyCore/RewritersPrecedenceLinter.cs-->
+
+## **Warning: unusual indentation in _what_ (which starts at _location_); do you perhaps need parentheses?** {#rw_unusual_indentation_start}
+
+<!-- %check-resolve-warn -->
+```dafny
+function f(b: bool): bool
+{
+  b &&
+  b ==> b // this parses as (b && b) ==> b, but reads as b && (b ==> b)
+}
+```
+
+Long expressions are best split up across multiple lines; readers often use indentation as a guide
+to the nesting of subexpressions. For example, parallel conjuncts or disjuncts may be written with 
+the same indentation. This warning occurs when the observed indentation is likely to cause
+a misunderstanding of the code, particularly of the precedence of operations. It is suggested
+to use parentheses or to redo the indentation to make the structure of the expression clearer.
+
+## **Warning: unusual indentation in _what_ (which ends at _location_); do you perhaps need parentheses?** {#rw_unusual_indentation_end}
+
+<!-- %check-resolve-warn -->
+```dafny
+function f(b: bool): bool
+{
+  b ==> b && 
+  b          // this parses as b ==> (b && b), but reads as (b ==> b) && b
+}
+```
+
+Long expressions are best split up across multiple lines; readers often use indentation as a guide
+to the nesting of subexpressions. For example, parallel conjuncts or disjuncts may be written with 
+the same indentation. This warning occurs when the observed indentation is likely to cause
+a misunderstanding of the code, particularly of the precedence of operations. It is suggested
+to use parentheses or to redo the indentation to make the structure of the expression clearer.
+
+<!-- FILE ./DafnyCore/Rewriters/RunAllTestsMainMethod.cs -->
+
+## **Error: Methods with the :test attribute may not have input arguments** {#rw_test_methods_may_not_have_inputs}
+
+<!-- %check-test -->
+```dafny
+method {:test} m(i: int) {}
+```
+
+The test tool runs all the methods that are marked with `{:test}`. The test tool expects two kinds of
+behavior: (a) the method may abort with a failing `expect` or (b) the method may return a datatype value that
+has an `IsFailure()` function which returns false. But the test method has no means of selecting inputs to
+give to a method under test. An experimental test-generation tool is in development, but for the moment, a
+routine under test may not have input arguments. A typical solution is to write an auxiliary method,
+marked with `{:test}`, that takes no
+inputs, and that then calls the desired method with various combinations of inputs.
+
+## **Error: Methods with the :test attribute can have at most one return value** {#rw_test_method_has_too_many_returns}
+
+<!-- %check-test -->
+```dafny
+method {:test} m() returns (j: int, k: int) 
+{
+  j, k := 0,0;
+}
+```
+
+This error only occurs when using `dafny test`. That command executes all methods attributed
+with `{:test}`, but such test methods are limited to methods with at most one output parameter.
+Typically that out-parameter has a failure-compatible type whose value is used to indicate whether the 
+test succeeeded or failed. If the type is not a failure-compatible type, the test is presumed to be successful.
+This is purely an implementation limitation. (cf. [Issue 3387](https://github.com/dafny-lang/dafny/issues/3387))
+
+<!-- FILE ./DafnyCore/Rewriters/ExpectContracts.cs-->
+
+## **Warning: The _kind_ clause at this location cannot be compiled to be tested at runtime because it references ghost state.** {#rw_clause_cannot_be_compiled}
+
+<!-- %no-check %check-test %options --test-assumptions:Externs -->
+```dafny
+method {:extern} m(i: int, ghost j: int) 
+  requires j == 1
+```
+
+The `--test-assumptions` option inserts tests of various contracts and implicit assumptions 
+in a Dafny method, such as the requires and ensures clauses.
+However, because these inserted tests are compiled into the target
+program as runtime checks, they cannot refer to any ghost variables.
+(This mechanism implements Dafny's runtime-assertion checking.)
+ 
+## **Warning: Internal: no wrapper for _name_** {#rw_no_wrapper}
+
+This message indicates a bug within the `dafny` tool. Please report the program that
+triggered the message to [the Github issues site](https://www.github.com/dafny-lang/dafny/issues).
+
+## **Warning: No :test code calls _name_** {#rw_unreachable_by_test}
+
+This warning indicates that some method marked with {:extern} is not called
+by any method marked with {:test}. The intention is to check coverage of
+the programmed unit tests. The warning only appears when using
+`/testContracts:TestedExterns` with the legacy CLI.
+It is likely to be removed in a future version of `dafny`.
+
+<!-- FILE ./DafnyCore/Rewriters/PrintEffectEnforcement.cs-->
+
+## **Error: :print attribute is not allowed on functions** {#rw_print_attribute_forbidden_on_functions}
+
+<!-- %check-resolve -->
+```dafny
+function {:print} f(): int { 0 }
+```
+
+The `{:print}` attribute is used to mark methods that have a side-effect of
+printing something, that is, they modify the external environment.
+Functions, whether ghost or compiled, are intended to have no side-effects at all.
+Thus Dafny forbids (ghost or compiled) functions from declaring that they have
+a print side-effect (whether or not print effects are being tracked with 
+`--track-print-effects`).
+
+## **Error: :print attribute is not allowed on ghost methods** {#rw_print_attribute_forbidden_on_ghost_methods}
+
+<!-- %check-resolve -->
+```dafny
+ghost method {:print} f() { }
+```
+
+The `{:print}` attribute is used to mark methods that have a side-effect of
+printing something, that is, they modify the external environment.
+A program's ghost code is not allowed to modify the actual execution of a program.
+Thus ghost code should not contain print statements.
+So Dafny forbids ghost methods from declaring that they have a print side-effect
+(whether or not print effects are being tracked with `--track-print-effects`).
+
+## **Error: not allowed to override a non-printing method with a possibly printing method (_name_)** {#rw_override_must_preserve_printing}
+
+<!-- %check-resolve -->
+```dafny
+trait T {
+  method m()
+}
+
+class C extends T {
+  method {:print} m() {}
+}
+```
+
+The `{:print}` attribute is used to mark methods that have a side-effect of
+printing something, that is, they modify the external environment.
+If a trait declares a method without a `{:print}` attribute, then any implementation 
+of that method may not do any printing, as it must obey the trait's specification.
+Thus a class implementing that method by an override cannot declare the method as possibly
+printing something, by giving it a `{:print}` attribute --- even if it does not actually do any printing.
+
+## **Error: :print attribute does not take any arguments** {#rw_print_attribute_takes_no_arguments}
+
+<!-- %check-resolve -->
+```dafny
+method {:print 42} f() { }
+```
+
+The `{:print}` attribute is used to mark methods that have a side-effect of printing something.
+No arguments to the attribute are needed or allowed.
+
+## **Error: a function-by-method is not allowed to use print statements** {#rw_no_print_in_function_by_method}
+
+<!-- %check-resolve %options --track-print-effects -->
+```dafny
+function f(): int {42 }
+by method {
+  print "I'm here\n";
+  return 42;
+}
+```
+
+The `{:print}` attribute is used to mark methods that have a side-effect of
+printing something, that is, they modify the external environment.
+Functions, whether ghost or compiled, are intended to have no side-effects at all.
+A function-by-method has a method body that is intended to be a compiled way of computing 
+what the function body expresses. But as a function may not have side-effects,
+the method body should not have any print statements.
+
+This tracking of print statements (and the forbidding of them by this error message)
+only happens when the `--track-print-effects` option is enabled;
+the option is disabled by default.
+
+## **Error: to use a print statement, the enclosing _method_ must be marked with {:print}** {#rw_print_attribute_required_to_print}
+
+<!-- %check-resolve %options --track-print-effects -->
+```dafny
+method m() { print 42; }
+```
+
+The `{:print}` attribute is used to mark methods that have a side-effect of
+printing something, that is, they modify the external environment.
+So a method that prints something (even transitively) should be marked with `{:print}`.
+This error indicates that such an attribute is missing -- either add the attribute 
+or remove the print statement.
+
+This tracking of print statements (and thus the possibility of this error message)
+only happens when the `--track-print-effects` option is enabled;
+the option is disabled by default.
+
+## **Error: a function-by-method is not allowed to call a method with print effects** {#rw_function_by_method_may_not_call_printing_method}
+
+<!-- %check-resolve %options --track-print-effects -->
+```dafny
+function m(): int { 42 }
+by method { p(); return 42; }
+
+method {:print} p() {}
+```
+
+The `{:print}` attribute is used to mark methods that have a side-effect of
+printing something, that is, they modify the external environment.
+Functions, whether ghost or compiled, are intended to have no side-effects at all.
+A function-by-method has a method body that is intended to be a compiled way of computing 
+what the function body expresses. But as a function may not have side-effects,
+the method body should not have any print statements.
+
+In this case, the method body might print something because a method that is called in the body
+is attributed with `{:print}` (whether or not it actually does print something).
+
+This tracking of print statements (and thus the possibility of this error message)
+only happens when the `--track-print-effects` option is enabled;
+the option is disabled by default.
+
+## **Error: to call a method with print effects, the enclosing _method_ must be marked with {:print}** {#rw_must_be_print_to_call_printing_method}
+
+<!-- %check-resolve %options --track-print-effects -->
+```dafny
+method m() { p(); }
+
+method {:print} p() {}
+```
+
+The `{:print}` attribute is used to mark methods that have a side-effect of
+printing something, that is, they modify the external environment.
+In this case, the method body might print something because a method that is called in the body
+is attributed with `{:print}` (whether or not it actually does print something).
+So the calling method must be marked with `{:print}` as well.
+
+This tracking of print statements (and thus the possibility of this error message)
+only happens when the `--track-print-effects` option is enabled;
+the option is disabled by default.
diff --git a/v4.10.0/HowToFAQ/Errors.md b/v4.10.0/HowToFAQ/Errors.md
new file mode 100644
index 0000000..68fa1c2
--- /dev/null
+++ b/v4.10.0/HowToFAQ/Errors.md
@@ -0,0 +1,52 @@
+---
+layout: default
+---
+<font size="+4"><p style="text-align: center;">Dafny Errors and Warnings</p></font> <!-- PDFOMIT -->
+
+
+<link rel="stylesheet" href="../assets/main.css">
+<link rel="icon" href="../images/dafny-favicon.png" type="image/png">
+<link rel="icon" href="../images/dafny-favicon.svg" type="image/svg+xml">
+
+<script src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
+
+This page contains a catalog of the dafny tool's Error and Warning messages,
+all in one long page to facilitate searching.
+
+The title of each section is an error message.
+Each section contains example code that produces the error,
+which is then followed by explanation and references.
+
+Italicized words in the given messages indicate variable content.
+
+# **Command-line Errors and Warnings**
+
+{% include_relative Errors-CommandLine.md %} 
+
+# **Compilation Errors**
+
+{% include_relative Errors-Compiler.md %}
+
+# **Parser Errors and Warnings**
+
+{% include_relative Errors-Parser.md %}
+
+# **Miscellaneous Errors and Warnings**
+
+{% include_relative Errors-Generic.md %}
+
+# **Name and Type Resolution Errors and Warnings**
+
+{% include_relative Errors-Resolution.md %}
+{% include_relative Errors-Resolver2.md %}
+{% include_relative Errors-Resolver3.md %}
+{% include_relative Errors-Rewriter.md %}
+
+# **Refinement Errors**
+
+{% include_relative Errors-Refinement.md %}
+
+# **Verification Errors**
+
+_This section is a work in progress_
+
diff --git a/v4.10.0/HowToFAQ/FAQAttribute.md b/v4.10.0/HowToFAQ/FAQAttribute.md
new file mode 100644
index 0000000..ac97093
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQAttribute.md
@@ -0,0 +1,15 @@
+---
+title: Where are attributes documented?
+---
+
+## Question
+
+Where are attributes documented? Why does my attribute not seem to make a difference?
+
+## Answer
+
+In general, attributes are documented in a chapter of the [reference manual](../DafnyRef/DafnyRef#sec-attributes); some are also documented in the sections in which the language feature for which they are relevant is described.
+However, at present not all of them are documented.
+
+Some projects with forks of Dafny may introduce attributes of their own.
+Keep in mind, that any attributes not recognized by Dafny are silently ignored, to allow for such extension.
diff --git a/v4.10.0/HowToFAQ/FAQBVNegation.md b/v4.10.0/HowToFAQ/FAQBVNegation.md
new file mode 100644
index 0000000..04417df
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQBVNegation.md
@@ -0,0 +1,19 @@
+---
+title: What is `-` on bitvectors?
+---
+
+## Question
+
+What is `-` on bitvectors?
+
+## Answer
+
+The `-` operator for bit-vectors is subtraction or unary negation.
+Unary negation, `- b` is equivalent to `0 - b`.
+This is not the same as complement, which is written as `! b`.
+
+For example, the `bv5` value equivalent to the natural number `13` is `01101`.
+- The complement of this value is `10010`, which is `18`.
+- The negation of this value is `10011`, which is `19`.
+
+In 2's complement fixed-bit-width arithmetic, `-x` is `!x + 1`.
diff --git a/v4.10.0/HowToFAQ/FAQBoogie.md b/v4.10.0/HowToFAQ/FAQBoogie.md
new file mode 100644
index 0000000..d4c03e8
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQBoogie.md
@@ -0,0 +1,38 @@
+---
+title: How do I run boogie manually?
+---
+
+## Question
+
+How do I run Boogie manually? What Dafny output and command-line flags do I need?
+
+## Answer
+
+A Boogie file is generated by Dafny using the option `-print`. For example, the command `dafny -print:a.bpl HelloWorld.dfy` will produce a file `a.bpl`. 
+If the `-print` option lacks an argument (the file name), the somewhat confusing message `Error: No input files were specified` is emitted.
+Be cautious: `dafny -print A.dfy B.dfy` may overwrite `A.dfy`.
+You can also use `-print:-` to send the boogie file to the standard output.
+
+To run boogie, it is most convenient to install boogie directly. See https://github.com/boogie-org/boogie.
+Dafny invokes Boogie as a library, not as a spawned executable, so there is no Boogie executable in the Dafny installation.
+However, the version of Boogie that Dafny uses corresponds to Boogie 2.15.7 (as of Dafny 3.7.3). 
+
+
+On a simple _Hello World_ program, `boogie a.bpl` is sufficient. Dafny does rely on these default Boogie options
+- `smt.mbqi` is set `false`
+- `model.compact` is set `false`
+- `model.v2` is set `true`
+- `pp.bv_literals` is set `false`
+
+Dafny also sets these non-default Boogie options:
+- `auto_config` is set `false`
+- `type_check` is set `true`
+- `smt.case_split` is set `3`
+- `smt.qi.eager_threshold` is set `100`
+- `smt.delay_units` is set `true`
+- `smt.arith.solver` is set `2`
+
+These all however are subject to change, especially as the version of Boogie used changes
+
+In addition, Dafny sends a variety of other command-line options to Boogie, depending on selections by the user and heuristics built-in to Dafny.
+Some guide to the available (Dafny) options that are passed through to Boogie are [in the reference manual](../../DafnyRef/DafnyRef#sec-controlling-boogie).
diff --git a/v4.10.0/HowToFAQ/FAQClassInSpec.md b/v4.10.0/HowToFAQ/FAQClassInSpec.md
new file mode 100644
index 0000000..49026d6
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQClassInSpec.md
@@ -0,0 +1,16 @@
+---
+title: Can classes appear in specs?
+---
+
+## Question
+
+Can classes appear in specs?
+
+## Answer
+
+Class types can be argument types for a method or function and the corresponding formal parameter can then be mentioned in specs.
+Within the specs, you can call functions (ghost or not) of those classes.
+
+However, there are some limitations:
+- Primarily, the `new` operator may not be used in a specification, so new class objects cannot be allocated in the spec
+- Note also that class objects are on the heap; as heap objects they will need to be mentioned in reads clauses.
diff --git a/v4.10.0/HowToFAQ/FAQCompileTargets.md b/v4.10.0/HowToFAQ/FAQCompileTargets.md
new file mode 100644
index 0000000..cdd8a8f
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQCompileTargets.md
@@ -0,0 +1,15 @@
+---
+title: What compiler target langages are in development?
+---
+
+## Question
+
+What compiler target langages are in development?
+
+## Answer
+
+As of version 3.7.3
+- C#, Javascript, Java, and Go are well-supported
+- Python is under development
+- Limited support for C++ is available
+- Rust support is being planned
diff --git a/v4.10.0/HowToFAQ/FAQCurry.md b/v4.10.0/HowToFAQ/FAQCurry.md
new file mode 100644
index 0000000..7a98da0
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQCurry.md
@@ -0,0 +1,18 @@
+---
+title: Is there a way to do partial application for functions?
+---
+
+## Question
+
+Is there a way to do partial application for functions in Dafny?
+
+## Answer
+
+Given
+```
+function f(i: int, j: int): int {...}
+```
+one can create a new partially-evaluated function, say evaluating the first argument at `2`, by writing the lambda expression `k => f(2,k)`.
+But note that this does not do any evaluation, partial or not. It merely defines a new function `f'` of one argument, such at `f'(k)` is `f(2,k)`.
+
+Dafny does not permit the syntax `f(2)` as a shorthand for `k => f(2,k)`.
diff --git a/v4.10.0/HowToFAQ/FAQDafnyAsLibrary.md b/v4.10.0/HowToFAQ/FAQDafnyAsLibrary.md
new file mode 100644
index 0000000..eef0d7f
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQDafnyAsLibrary.md
@@ -0,0 +1,12 @@
+---
+title: Is Dafny available as a library, to be called from other software?
+---
+
+## Question
+
+Is Dafny available as a library, to be called from other software?
+
+## Answer
+
+Yes, it is. The DafnyPipeline library on NuGet is the most likely candidate for inclusion in a third-party program. 
+
diff --git a/v4.10.0/HowToFAQ/FAQDefaultInitialValue.md b/v4.10.0/HowToFAQ/FAQDefaultInitialValue.md
new file mode 100644
index 0000000..892b0fd
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQDefaultInitialValue.md
@@ -0,0 +1,26 @@
+---
+title: How does one declare a type to have a "default" initial value, say a type tagged with {:extern}?
+---
+
+## Question
+
+How does one declare a type to have a "default" initial value, say a type tagged with {:extern}?
+
+## Answer
+
+There is no general way to do this. Subset types and newtypes have [witness](../DafnyRef/DafnyRef/#sec-witness-clauses) clauses and types that are [auto-initializable](../DafnyRef/DafnyRef#sec-auto-init)
+have a default, but those rules do not apply to anonymous extern types.
+Particularly for abstract types, there is not even a way to infer such a value.
+
+You can manually initialize like this:
+```dafny
+type {:extern} TT {
+}
+function {:extern} init(): TT
+
+method mmm() {
+  var x: TT := init();
+  var y:= x;
+}
+```
+
diff --git a/v4.10.0/HowToFAQ/FAQDefaultParameter.md b/v4.10.0/HowToFAQ/FAQDefaultParameter.md
new file mode 100644
index 0000000..6b5e968
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQDefaultParameter.md
@@ -0,0 +1,44 @@
+---
+title: How do I declare a default value for a parameter of a method or function?
+---
+
+## Question
+
+How do I declare a default value for a parameter of a method or function?
+
+## Answer
+
+The parameters of methods and functions can be referred to by name.
+```dafny
+  method m( i: int,  j: int, k: int) {}
+  method q() {
+    m(4, k:= 7, j:=8);
+
+  }
+```
+In the left-to-right sequence of actual arguments, once a parameter is referred to by name, all the rest must also be referred to by name. The named arguments may be in any order.
+
+Furthermore, arguments can be given default values.
+```dafny
+  method m( i: int,  j: int, k: int := 0) {}
+  method q() {
+    m(4, 4, k:=8);
+    m(1, j:=2);
+    m(1,2);
+  }
+```
+In the left-to-right sequence of actual arguments, once a parameter is given a default value, all the rest must also have a default value. Arguments may still be referred to by name, but now any named
+argument with a default is optional. If there are no names at all, then it is always the last
+arguments that are omitted if the actual argument list is shorter than the formal parameter list,
+and they must all have defaults.
+
+Finally, a parameter may be declared as `nameonly`, in which case it must be referred to by name.
+```dafny
+  method m( i: int,  j: int, nameonly k: int := 0, q: int := 8) {}
+  method q() {
+    // m(4, 4, 8 ); // Error
+    m(4, 4, q:=9);
+    m(4, 4, k:=8);
+  }
+```
+Such a parameter may but does not need to have default value, but if it does not, it cannot be omitted.
diff --git a/v4.10.0/HowToFAQ/FAQDie.md b/v4.10.0/HowToFAQ/FAQDie.md
new file mode 100644
index 0000000..39d33b6
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQDie.md
@@ -0,0 +1,11 @@
+---
+title: Is there a way to ask Dafny to die on its first verification failure?
+---
+
+## Question
+
+Is there a way to ask Dafny to die on its first verification failure?
+
+## Answer
+
+No. At least as of version 3.7.3.
diff --git a/v4.10.0/HowToFAQ/FAQDocGenerator.md b/v4.10.0/HowToFAQ/FAQDocGenerator.md
new file mode 100644
index 0000000..9310405
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQDocGenerator.md
@@ -0,0 +1,13 @@
+---
+title: Is there a doc generator for Dafny?
+---
+
+## Question
+
+Is there a doc generator for Dafny?
+
+## Answer
+
+Not one produced by the Dafny team or included in a Dafny release.
+This 3rd-party tool was reported by users: [https://github.com/nhweston/dfydoc](https://github.com/nhweston/dfydoc).
+
diff --git a/v4.10.0/HowToFAQ/FAQElephant.md b/v4.10.0/HowToFAQ/FAQElephant.md
new file mode 100644
index 0000000..dbb9a2c
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQElephant.md
@@ -0,0 +1,16 @@
+---
+title: What is the `:-` operator? How does it work?
+---
+
+## Question
+
+What is the `:-` operator? How does it work?
+
+## Answer
+
+This operator is called the _elephant operator_ (because it has a trunk).
+It is used to write code that exits on failure (much like exceptions in other programming languages or the ? operator in Rust).
+The topic is discussed at length in
+the section of the reference manual on [Update with Failure statements](../DafnyRef/DafnyRef#sec-update-failure).
+
+In brief, Dafny permits methods to return values of _failure-compatible_ types. If the result of a method is being assigned to a variable with the `:-` operator and the result is a failure, then the method exits immediately, with the failure being propagated to the calling method.
diff --git a/v4.10.0/HowToFAQ/FAQExternReturnsObject.md b/v4.10.0/HowToFAQ/FAQExternReturnsObject.md
new file mode 100644
index 0000000..a76f6ff
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQExternReturnsObject.md
@@ -0,0 +1,56 @@
+---
+title: How do I model extern methods that return objects?
+---
+
+## Question: 
+
+How do I model extern methods that return objects?
+
+
+## Answer:
+
+When modeling extern functions that return objects, it's usually not good to have specifications that return objects. 
+It's better to have a predicate that takes the input of a function, an object, and relates the two to each other.
+
+For example:
+
+```dafny
+trait {:extern} {:compile false} Test {
+  var i: int
+  var y: int
+}
+trait {:extern} {:compile false} Importer {
+  function Import(i: int): (r: Test)
+    ensures r.i == i
+
+  method {:extern} {:compile false} DoImport(i: int) returns (r: Test)
+    ensures r == Import(i)
+
+  predicate Conditions(i: int) {
+     && var r := Import(i);
+     && r.y == 2
+  }
+}
+```
+
+In this case, it's better to write a predicate, and use existential quantifiers along with the `:|` operator, 
+and there is no need to prove uniqueness because we are in ghost code!
+
+```dafny
+trait {:extern} {:compile false} Test {
+  var i: int
+}
+trait {:extern} {:compile false} Importer {
+  predicate IsImported(i: int, r: Test) {
+    r.i == i
+  }
+  method {:extern} {:compile false} DoImport(i: int) returns (r: Test)
+    ensures IsImported(i, r)
+
+  predicate Conditions(i: int) {
+     && (exists r: Test :: IsImported(i, r))
+     && var r :| IsImported(i, r);   // Note the assignment has changed.
+     && r.y == 2
+  }
+}
+```
diff --git a/v4.10.0/HowToFAQ/FAQFailingPost.md b/v4.10.0/HowToFAQ/FAQFailingPost.md
new file mode 100644
index 0000000..e350e52
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFailingPost.md
@@ -0,0 +1,34 @@
+---
+title: I can assert a condition right before a return, so why does the postcondition fail to verify?
+---
+
+## Question
+
+I can assert a condition right before a return, so why does the postcondition fail to verify?
+
+## Answer
+
+There can be lots of reasons why a postcondition might fail to verify, but if you can prove the same predicate just before a return, 
+a typical reason is that there are other exit paths from the method or function. There might be other `return` statements, but a
+harder to spot exit path is the `:-` let-or-fail assignment.
+Here is a sketch of that kind of problem:
+
+```dafny
+include "library/Wrappers.dfy"
+
+method test(MyClass o) returns (r: Wrappers.Result<int>)
+  modifies o;
+  ensures o.ok == true;
+{
+  o.ok := true;
+  o.data :- MyMethod(o);
+  assert o.ok;
+  return;
+}
+```
+(This example uses the `Result` type from the [standard library](https://github.com/dafny-lang/libraries/blob/master/src/Wrappers.dfy). The `include` directive in the example requires that you have a copy of the standard library in `./library`.)
+
+This method can exit either through the `return` at the end or through the failure return if a failure value is returned
+from `MyMethod`. That return happens before the `assert` that is intended to do a pre-check of the postcondition; depending
+on the action of `MyMethod`, the target predicate may not be always true.
+  
diff --git a/v4.10.0/HowToFAQ/FAQForall.md b/v4.10.0/HowToFAQ/FAQForall.md
new file mode 100644
index 0000000..ef28556
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQForall.md
@@ -0,0 +1,32 @@
+---
+title: How do I use `forall` statements and expressions in a lemma?
+---
+
+## Question
+
+If I'm trying to prove a lemma in Dafny with a `forall` statement that needs help in the body (`{}`) of the lemma, how do I make an arbitrary variable in the body of the lemma to help prove the `forall` statement?
+
+## Answer
+
+Note that there is a difference between a `forall` expression, which is a universally quantified formula, and a `forall` statement, which is used to establish the truth of a universally quantified formula. To do what you want to do, write:
+```dafny
+lemma MyLemma()
+  ensures forall s :: P(s) ==> Q(s)
+{
+  forall t | P(t)
+    ensures Q(t)
+  {
+    // Here, t is in scope, and P(t) is assumed.
+    // Your task here is to prove Q(t) for this particular t.
+  }
+  // Here, you get to assume "forall t :: P(t) ==> Q(t)"
+}
+```
+
+The `forall` in the ensures is an expression and the `forall` in the body of the lemma is a statement.
+
+This use of the `forall` statement is what logicians call “universal introduction”.
+
+Note the slight difference in syntax between the `forall` expression and `forall` statement.
+Although Dafny tries to make the syntax of these sorts of things as similar as possible between expressions and statements, there are some differences. 
+The following Dafny Power User note may be helpful in understanding the syntax: [Dafny Power User: Statement vs. Expression Syntax](http://leino.science/papers/krml266.html).
diff --git a/v4.10.0/HowToFAQ/FAQForallTricks.md b/v4.10.0/HowToFAQ/FAQForallTricks.md
new file mode 100644
index 0000000..e9aca72
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQForallTricks.md
@@ -0,0 +1,41 @@
+---
+title: "Why can't I write `forall t: Test :: t.i == 1` for an object `t`?"
+---
+
+## Question:
+
+Why can\'t I write `forall t: Test :: t.i == 1` for an object `t`?
+
+## Answer:
+
+This code
+
+```dafny
+trait Test {
+ var i: int
+}
+class A {
+  predicate testHelper() {
+    forall t: Test :: t.i == 1
+    // a forall expression involved in a predicate definition is not allowed to depend on the set of allocated references,
+  }
+}
+```
+
+can be better written as
+
+```dafny
+trait Test {
+ var i: int
+}
+class A {
+  ghost const allTests: set<Test>
+  predicate testHelper() reads allTests {
+    forall t: Test <- allTests :: t.i == 1
+  }
+}
+```
+
+That way, if you want to assume anything about the Test classes that you are modeling extern, 
+you only need to specify an axiom that says that whatever Test you have was in allTests, 
+which could have been a pool of Test objects created from the start anyway, and then you can use your axiom. 
\ No newline at end of file
diff --git a/v4.10.0/HowToFAQ/FAQFunctionByMethodProof.md b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof.md
new file mode 100644
index 0000000..e107e27
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof.md
@@ -0,0 +1,87 @@
+---
+title: I can't prove the equivalence between the method part of a `function by method`` and the function itself
+---
+
+## Question
+
+I can't prove the equivalence between the method part of a function by method and the function itself.
+It seems that my invariants can't be maintained by the loop, and I don't know how to prove them.
+
+## Answer
+
+Consider the simple problem of computing the sum of a sequence of integers.
+You might be tempted to immediately write the following equivalence,
+with your best guess of an invariant
+and a hint at the end to help Dafny realize that the result is correct.
+However you cannot prove the invariant you just wrote.
+
+```
+{% include_relative FAQFunctionByMethodProof1.dfy %}
+```
+
+Let's unroll the computation of the function on a sequence of 3 elements.
+The function will compute:
+
+`s[0] + (s[1] + (s[2] + 0))`
+
+But the loop will compute
+
+`((0 + s[0]) + s[1]) + s[2]`
+
+In the function, we add the first element (`s[0]`) to the result of computing the sum of the remaining elements (`s[1] + (s[2] + 0))`).
+In the by method, we add the last element (`s[2]`) to the accumulator, which contains the sum of the initial terms (`(0 + s[0]) + s[1]`).
+If it was not the case that the addition was associative and 0 was a neutral element, there would be no immediate way to prove that the two computations are equivalent.
+
+There are essentially three solutions around that:
+
+* Improve the invariant, knowing `+` is associative
+* Change the order of computation of the function so that it matches the by method
+* Change the order of computation of the by method so that it matches the function
+
+There are more intrusive solutions, such as making the function tail-recursive by changing the function's signature to include an accumulator or a sequence of callbacks to perform a the end, but we will explore only the one that don't change the signature of `Sum()`.
+
+## Improved invariant
+
+You can change the invariant to be `invariant result + Sum(s[i..]) == Sum(s)`, as below:
+
+```
+{% include_relative FAQFunctionByMethodProof2.dfy %}
+```
+
+This works because, with `result'` being the result at the end of the loop and `+` being associative,
+the lemma `IntermediateProperty()` shows the underlying reasoning that helps prove that the invariant
+is indeed invariant. Dafny can prove it automatically, so the lemma is not needed in the loop body.
+One nice thing is that we can get rid of the final hint.
+
+What if you had an operation more complex that "+", that is not associative?
+This is when you need to ensure the loop and the function are computing in the same order.
+Let's explore how to do so by changing either the function, or the by-method body.
+
+## Make the function compute what the by-method does
+The by-method loop's first addition is 0 plus the first element (`s[0]`) of the sequence. For this to
+be the first addition performed by the function, it has to be at the bottommost level of the call.
+Indeed, each addition is performed after the recursive call finishes. This means that
+the function needs to sum the `n-1` elements first and add the remaining last one.
+
+Since it's exactly what the method computes, it satisfies our initial invariant.
+
+```
+{% include_relative FAQFunctionByMethodProof3.dfy %}
+```
+
+Not only does this approach require more proof hints, but it might also break the proofs that dependend on the shape of the function, while all we wanted in the first place was to give a more efficient implementation to the function.
+Therefore, it's reasonable to expect we will prefer to change the implementation of the by-method body to reflect the function, not the opposite, as follows:
+
+## Make the by-method body compute what the function computes
+
+To compute iteratively what the function computes recursively, you have to find what is the first
+addition that will be computed by the method. As mentioned previously, the first addition is the one performed at the bottommost level of recursion: the first addition is `s[|s|-1] + 0`,
+so the loop has to actually be in reverse, like this:
+
+```
+{% include_relative FAQFunctionByMethodProof4.dfy %}
+```
+
+Note that this approach results in the smallest invariant that actually closely matches the function itself.
+Also, instead of adding to the right of `result`, adding to the left ensures the same order is kept,
+in case the operation was not commutative (so that it would work for sequence append operation).
\ No newline at end of file
diff --git a/v4.10.0/HowToFAQ/FAQFunctionByMethodProof1.dfy b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof1.dfy
new file mode 100644
index 0000000..be5753e
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof1.dfy
@@ -0,0 +1,16 @@
+function Sum(s: seq<int>): (result: int) {
+  if |s| == 0 then
+    0
+  else
+    s[0] + Sum(s[1..])
+} by method {
+  result := 0; 
+  for i := 0 to |s|
+    invariant result == Sum(s[0..i])
+    //        ^^^^^^^^^^^^^^^^^^^^^^
+    //           Cannot be proved
+  {
+    result := result + s[i];
+  }
+  assert s[0..|s|] == s;
+}
\ No newline at end of file
diff --git a/v4.10.0/HowToFAQ/FAQFunctionByMethodProof1.txt b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof1.txt
new file mode 100644
index 0000000..c1cae25
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof1.txt
@@ -0,0 +1,2 @@
+FAQFunctionByMethodProof1.dfy(9,14): Error: this invariant could not be proved to be maintained by the loop
+Dafny program verifier finished with 1 verified, 1 error
diff --git a/v4.10.0/HowToFAQ/FAQFunctionByMethodProof2..txt b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof2..txt
new file mode 100644
index 0000000..c39a053
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof2..txt
@@ -0,0 +1 @@
+Dafny program verifier finished with 2 verified, 0 error
diff --git a/v4.10.0/HowToFAQ/FAQFunctionByMethodProof2.dfy b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof2.dfy
new file mode 100644
index 0000000..2169f6e
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof2.dfy
@@ -0,0 +1,28 @@
+function Sum(s: seq<int>): (result: int) {
+  if |s| == 0 then
+    0
+  else
+    s[0] + Sum(s[1..])
+} by method {
+  result := 0;
+  for i := 0 to |s|
+    invariant result + Sum(s[i..]) == Sum(s) // New invariant
+  {
+    result := result + s[i];
+  }
+} // No hint needed at the end
+
+lemma IntermediateProperty(result: int, result': int, i: int, s: seq<int>)
+  requires 0 <= i < |s|
+  requires result' == result + s[i]
+  requires result + Sum(s[i..]) == Sum(s)
+  ensures result' + Sum(s[i+1..]) == Sum(s)
+{
+  calc {
+     Sum(s);
+  == result + Sum(s[i..]);             // Requires definition
+  == result + (s[i]  + Sum(s[i+1..])); // Definition of Sum()
+  ==(result +  s[i]) + Sum(s[i+1..]);  // Associativity
+  == result'         + Sum(s[i+1..]);  // Definition of result'
+  }
+}
\ No newline at end of file
diff --git a/v4.10.0/HowToFAQ/FAQFunctionByMethodProof3.dfy b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof3.dfy
new file mode 100644
index 0000000..6229ab8
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof3.dfy
@@ -0,0 +1,17 @@
+function Sum(s: seq<int>): (result: int) {
+  if |s| == 0 then
+    0
+  else
+    Sum(s[0..|s|-1]) + s[|s| - 1]
+    // We add the last element to the sum of the first
+} by method {
+  result := 0;
+  for i := 0 to |s|
+    invariant result == Sum(s[0..i])
+  {
+    assert s[0..i+1][0..i] == s[0..i];
+     // Minimum hint needed for proof
+    result := result + s[i];
+  }
+  assert s[0..|s|] == s;
+} // One last hint
\ No newline at end of file
diff --git a/v4.10.0/HowToFAQ/FAQFunctionByMethodProof3.txt b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof3.txt
new file mode 100644
index 0000000..c39a053
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof3.txt
@@ -0,0 +1 @@
+Dafny program verifier finished with 2 verified, 0 error
diff --git a/v4.10.0/HowToFAQ/FAQFunctionByMethodProof4.dfy b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof4.dfy
new file mode 100644
index 0000000..5fd07ce
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof4.dfy
@@ -0,0 +1,10 @@
+function Sum(s: seq<int>): (result: int) {
+  if |s| == 0 then 0 else s[0] + Sum(s[1..])
+} by method {
+  result := 0;
+  for i := |s| downto 0              // Reverse. First i == |s| - 1
+    invariant result == Sum(s[i..])  // The invariant looks like the function
+  {
+    result := s[i] + result;         // Note how we sum in reverse as well.
+  }
+} // No hint needed at the end
\ No newline at end of file
diff --git a/v4.10.0/HowToFAQ/FAQFunctionByMethodProof4.txt b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof4.txt
new file mode 100644
index 0000000..c39a053
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFunctionByMethodProof4.txt
@@ -0,0 +1 @@
+Dafny program verifier finished with 2 verified, 0 error
diff --git a/v4.10.0/HowToFAQ/FAQFunctionMethod.md b/v4.10.0/HowToFAQ/FAQFunctionMethod.md
new file mode 100644
index 0000000..5bf23c6
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFunctionMethod.md
@@ -0,0 +1,16 @@
+---
+title: Is there any difference between a method without a modifies clause and a function with a reads this clause?  I know that the latter you can use in expressions, but otherwise, is there anything the former can do that the latter can’t, for example?
+---
+
+## Question
+
+Is there any difference between a method without a `modifies` clause and a function method with a `reads this` clause?  I know that the latter you can use in expressions.  Is there anything the former can do that the latter can’t, for example?
+
+## Answer
+
+Compared to a function, a method can
+- allocate objects and arrays (`new`)
+- use non-determinism
+- use loops
+- have multiple outputs
+- read anything in the heap
diff --git a/v4.10.0/HowToFAQ/FAQFunctionMethodDiffs.md b/v4.10.0/HowToFAQ/FAQFunctionMethodDiffs.md
new file mode 100644
index 0000000..3e209c5
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFunctionMethodDiffs.md
@@ -0,0 +1,23 @@
+---
+title: What is the difference between `function`, `method`, `function method`, and `function by method`?
+---
+
+## Question
+
+What is the difference between `function`, `method`, `function method`, and `function by method`?
+
+## Answer
+
+The names of these alternatives will be changing between Dafny 3 and Dafny 4:
+
+- `function` (`function method` in Dafny 3) -- is a non-ghost function
+- `ghost function` (`function` in Dafny 3) -- is a ghost function
+- _function by method_ is a ghost function with an alternate compilable (non-ghost) method body (cf. [the reference manual section on function declarations](../DafnyRef/DafnyRef#sec-function-declarations))
+- `method` declares a non-ghost method
+- `ghost method` declares a ghost method, though this is almost always done using a `lemma` instead
+
+Note that
+- Methods may have side effects but may not be used in expressions.
+- Functions may be used in expressions but may not have side effects.
+- Methods do not have reads clauses; functions typically do.
+- Non-ghost methods and non-ghost functions may not be used in ghost code.
diff --git a/v4.10.0/HowToFAQ/FAQFunctionTypes.md b/v4.10.0/HowToFAQ/FAQFunctionTypes.md
new file mode 100644
index 0000000..3cad779
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFunctionTypes.md
@@ -0,0 +1,22 @@
+---
+title: What is the meaning of and differences among `->`, `-->`, `~>`?
+---
+
+## Question
+
+What is the meaning of and differences among `->`, `-->`, `~>`?
+
+## Answer
+
+These are all used in designating the type of functions; they are sometimes called _arrow types_.
+In each case, `A -> B` is the type of a function taking an argument of type `A` and producing a value of type `B`;
+The function argument types can be enclosed in parentheses, and if the number of arguments is not 1 or the argument is a tuple type, then the argument types must be enclosed in parentheses. For example,
+`(A, B) -> C` is a type of function that takes two arguments; `((A, B)) -> C` takes as argument a 2-tuple.
+
+The three symbols in the question denote different sorts of types of functions:
+- `->` denotes a _total_ function that is independent of the heap; it may not have a `requires` clause (precondition) or a `reads` clause
+- `-->` denotes a _partial_ function; it may have a precondition, but may not have a `reads` clause, and so it also is independent of the heap
+- `~>` denotes a _partial_ and possibly _heap-dependent_ function; it may have `requires` and `reads` clauses
+
+If a function is independent of the heap, it is useful to say so, either in its declaration or the type that describes it. The value returned by a heap-independent function depends only on its arguments and not on the program state; 
+thus it is easier to reason about its properties. Working with heap-dependent functions is much more difficult than with heap-independent functions, so use `->` or `-->` if you can. And note that Dafny does not support polymorphic arrow types.
diff --git a/v4.10.0/HowToFAQ/FAQFunctionUnroll.md b/v4.10.0/HowToFAQ/FAQFunctionUnroll.md
new file mode 100644
index 0000000..ccf6322
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFunctionUnroll.md
@@ -0,0 +1,38 @@
+---
+title: A function seems to work just once. How do I get it to apply a bunch of times?
+---
+
+## Question
+
+A function seems to work just once. How do I get it to apply a bunch of times?
+Here is an example:
+```
+{% include_relative FAQFunctionUnroll0.dfy %}
+```
+
+The latter two lemmas will not prove without uncommenting the application of the lemma for one less iteration.
+How can I get this to prove automatically?
+
+## Answer
+
+Function bodies are transparent. That is, when there is a call to a function in Dafny code, the body of the function
+is available for reasoning about the effect of the function. But for recursive functions, it generally only does this once or twice, as that is 
+usually sufficient to form an inductive proof. And always unrolling multiple times can reduce performance.
+
+You can request that Dafny unroll a function multiple times by using the `{:fuel}` attribute.
+The value of the attribute is the number of times the function will be unrolled. This is still a fixed upper limit,
+but it does the trick in this case:
+```
+{% include_relative FAQFunctionUnroll1.dfy %}
+```
+
+A function will also keep unrolling if it has an argument that is a literal and that argument decreases
+on each recursive call. So for this example we can write a helper function that takes a `nat` argument
+and give it a literal value that tells it how much to unroll.
+```
+{% include_relative FAQFunctionUnroll2.dfy %}
+```
+With this solution, the number of unrollings can be set at the call site, rather than in the function definition.
+
+[This paper](https://www.microsoft.com/en-us/research/publication/computing-smt-solver/) gives some technical insight into how recursive functions are handled in situations like these examples.
+
diff --git a/v4.10.0/HowToFAQ/FAQFunctionUnroll0.dfy b/v4.10.0/HowToFAQ/FAQFunctionUnroll0.dfy
new file mode 100644
index 0000000..2ffe995
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFunctionUnroll0.dfy
@@ -0,0 +1,27 @@
+function Sum(s: seq<nat>): nat {
+  if |s| == 0 then 0
+  else s[0] + Sum(s[1..])
+}
+
+lemma Sum1(s: seq<nat>)
+  requires |s| == 1
+  ensures Sum(s) == s[0]
+{
+  // trivial
+}
+
+lemma Sum2(s: seq<nat>)
+  requires |s| == 2
+  ensures Sum(s) == s[0] + s[1]
+{
+  // Doesn't work.  I need...
+  // Sum1(s[1..]);
+}
+
+lemma Sum3(s: seq<nat>)
+  requires |s| == 3
+  ensures Sum(s) == s[0] + s[1] + s[2]
+{
+  // Doesn't work.  I need...
+  // Sum2(s[1..]);
+}
diff --git a/v4.10.0/HowToFAQ/FAQFunctionUnroll0.txt b/v4.10.0/HowToFAQ/FAQFunctionUnroll0.txt
new file mode 100644
index 0000000..061b768
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFunctionUnroll0.txt
@@ -0,0 +1,6 @@
+FAQFunctionUnroll0.dfy(16,0): Error: A postcondition might not hold on this return path.
+FAQFunctionUnroll0.dfy(15,17): Related location: This is the postcondition that might not hold.
+FAQFunctionUnroll0.dfy(24,0): Error: A postcondition might not hold on this return path.
+FAQFunctionUnroll0.dfy(23,17): Related location: This is the postcondition that might not hold.
+
+Dafny program verifier finished with 5 verified, 2 errors
diff --git a/v4.10.0/HowToFAQ/FAQFunctionUnroll1.dfy b/v4.10.0/HowToFAQ/FAQFunctionUnroll1.dfy
new file mode 100644
index 0000000..5b3d9bf
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFunctionUnroll1.dfy
@@ -0,0 +1,27 @@
+function {:fuel 10} Sum(s: seq<nat>): nat {
+  if |s| == 0 then 0
+  else s[0] + Sum(s[1..])
+}
+
+lemma Sum1(s: seq<nat>)
+  requires |s| == 1
+  ensures Sum(s) == s[0]
+{
+  // trivial
+}
+
+lemma Sum2(s: seq<nat>)
+  requires |s| == 2
+  ensures Sum(s) == s[0] + s[1]
+{
+  // Doesn't work.  I need...
+  // Sum1(s[1..]);
+}
+
+lemma Sum3(s: seq<nat>)
+  requires |s| == 3
+  ensures Sum(s) == s[0] + s[1] + s[2]
+{
+  // Doesn't work.  I need...
+  // Sum2(s[1..]);
+}
diff --git a/v4.10.0/HowToFAQ/FAQFunctionUnroll2.dfy b/v4.10.0/HowToFAQ/FAQFunctionUnroll2.dfy
new file mode 100644
index 0000000..a1efe39
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQFunctionUnroll2.dfy
@@ -0,0 +1,33 @@
+function Sum(s: seq<nat>): nat {
+  if |s| == 0 then 0
+  else s[0] + Sum(s[1..])
+}
+
+function Sum_(s: seq<nat>, n: nat): nat
+  ensures Sum(s) == Sum_(s,n)
+  ensures |s| > 0 && n > 0 ==> Sum_(s,n) == s[0] + Sum_(s[1..], n-1)
+{
+  if |s| == 0 || n == 0 then Sum(s)
+  else s[0] + Sum_(s[1..], n-1)
+}
+
+lemma Sum1(s: seq<nat>)
+  requires |s| == 1
+  ensures Sum(s) == s[0]
+{
+  // trivial
+}
+
+lemma Sum3(s: seq<nat>)
+  requires |s| == 3
+  ensures Sum(s) == s[0] + s[1] + s[2]
+{
+  var _ := Sum_(s, 3);
+}
+
+lemma Sum9(s: seq<nat>)
+  requires |s| == 9
+  ensures Sum(s) == s[0] + s[1] + s[2] + s[3] + s[4] + s[5] + s[6] + s[7] + s[8]
+{
+  var _ := Sum_(s, 9);
+}
diff --git a/v4.10.0/HowToFAQ/FAQGhostConstAsWitness.md b/v4.10.0/HowToFAQ/FAQGhostConstAsWitness.md
new file mode 100644
index 0000000..6bc18ab
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQGhostConstAsWitness.md
@@ -0,0 +1,22 @@
+---
+title: Why can a ghost const not be used as a witness? Does the compiler need to use the witness as an initial value?
+---
+
+## Question
+
+Why can a ghost const not be used as a witness? Does the compiler need to use the witness as an initial value?
+
+## Answer
+
+A type can be
+- auto-initializing (which means the compiler knows of a value of the type)
+- nonempty (which means there is a value of the type, but the compiler might not know it)
+- possibly empty (neither or the above is true)
+
+To show a type is auto-initializing, you may need to provide a witness clause. The expression given in the witness clause must be compilable.
+To just show a type is nonempty, you can use a ghost witness clause. It takes a ghost expression, so you should be able to use your ghost const here.
+If you don’t care about either, you can say `witness *`, which makes the type be treated as possibly empty.
+
+When declaring generic types, one can use _type characteristics_ to indicate any restrictions on the types that may be substituted for a type parameter.
+For example, writing `class A<T(0)>` says that types substituted fo `T` must be auto-initializing;
+writing `class A<T(00)>` says that such types must be non-empty.
diff --git a/v4.10.0/HowToFAQ/FAQGhostMethod.md b/v4.10.0/HowToFAQ/FAQGhostMethod.md
new file mode 100644
index 0000000..c739063
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQGhostMethod.md
@@ -0,0 +1,14 @@
+---
+title: What is the difference between a lemma and a ghost method?
+---
+
+## Question
+
+What is the difference between a lemma and a ghost method?
+
+## Answer
+
+A `lemma` is a `ghost method` that does not have a `modifies` clause. Lemmas also do not typically return results.
+However, in most places where a lemma is used, it must be declared as a lemma. For example the lemma call that can be part of an expression must call a method that is declared to be a lemma, not a ghost method.
+
+A lemma may also be called as a statement in the body of a method, but here a ghost method is allowed as well, so either can be used.
diff --git a/v4.10.0/HowToFAQ/FAQGhostSideEffects.md b/v4.10.0/HowToFAQ/FAQGhostSideEffects.md
new file mode 100644
index 0000000..bf34a34
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQGhostSideEffects.md
@@ -0,0 +1,32 @@
+---
+title: How can ghost code call methods with side effects?
+---
+
+## Question
+
+How can ghost code call methods with side effects?
+
+## Answer
+
+Ghost code may not have any effect on non-ghost state, but ghost code can have effects on ghost state.
+So a ghost method may modify ghost fields, as long as the specifications list the appropriate fields in
+the appropriate modifies clauses. The example code below demonstrates this:
+
+```dafny
+  class C {
+    ghost var c: int
+
+    ghost method m(k: int)
+      modifies this
+      ensures c == k
+    { 
+      c := k;
+    }
+
+    ghost method p() {
+      var cc := new C;
+      cc.m(8);
+      assert cc.c == 8;
+    }
+  }
+```
diff --git a/v4.10.0/HowToFAQ/FAQIff.md b/v4.10.0/HowToFAQ/FAQIff.md
new file mode 100644
index 0000000..6fe89e9
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQIff.md
@@ -0,0 +1,30 @@
+---
+title: When proving an iff (<==>), is there a nice way to prove this by proving each side of the implication separately without making 2 different lemmas?
+---
+
+## Question
+
+When proving an iff (<==>), is there a nice way to prove this by proving each side of the implication separately without making 2 different lemmas?
+
+## Answer
+
+Here are two ways to prove `A <==> B`:
+
+```
+if A {
+  // prove B...
+}
+if B {
+  // prove A...
+}
+```
+Another way is
+```
+calc {
+  A;
+==
+  // ...
+==
+  B;
+}
+```
diff --git a/v4.10.0/HowToFAQ/FAQImportAbstractModule.md b/v4.10.0/HowToFAQ/FAQImportAbstractModule.md
new file mode 100644
index 0000000..75cdcf3
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQImportAbstractModule.md
@@ -0,0 +1,67 @@
+---
+title: Why can compiled modules contain but not import abstract modules?
+---
+
+## Question
+
+Why can compiled modules contain but not import abstract modules?
+
+## Answer
+
+The question refers to code like this:
+```dafny
+abstract module J {}
+
+module K {
+  abstract module JJ {}
+  import J // ERROR
+}
+```
+It is indeed the case that the abstract module `JJ` can be declared in non-abstract module `K` but the abstract module `J` is not permitted to be imported.
+This discrepancy is the subject of a proposed change to Dafny rules (cf. [issue #2635](https://github.com/dafny-lang/dafny/issues/2635)).
+
+In either cases, however, there are limits on what can be done with an abstract submodule.
+It is first of all not compiled as part of the enclosing module. Thus it can only be used as the subject of refinement.
+
+That feature is described in the remainder of this FAQ.
+
+The enclosing module may declare an abstract module A and also a non-abstract module B that refines A.
+A refining module import (`import D : C`) may only occur in an abstract module itself.
+
+Generally speaking, suppose you have an underspecified module that is imported using ':', as in
+```
+abstract module Interface {
+  function addSome(n: nat): nat
+    ensures addSome(n) > n
+}
+abstract module Mod {
+  import A : Interface
+  method m() {
+    assert 6 <= A.addSome(5);
+  }
+}
+```
+Here `A` is abstract because it stands for any concrete module that adheres to the interface declared in `Interface`
+(note that the function `addSome` has no body). Consequently `Mod` must be abstract as well.
+`Interface` is not compilable, but it actually does not need to be declared `abstract`.
+
+Now we can implement a concrete version of `Interface`:
+```
+module Implementation {
+  function addSome(n: nat): nat
+    ensures addSome(n) == n + 1
+  {
+    n + 1
+  }
+}
+```
+
+Then we can implement the concrete module `Mod2` as a refinement of the abstract module `Mod`:
+```
+module Mod2 refines Mod {
+  import A = Implementation
+  ...
+}
+```
+Here the module `Mod.A`, which is an unspecified refinement of `Interface` inside of `Mod`, is refined to be the concrete module
+`Implementation` inside of `Mod2`, which is a refinement of `Mod`.
diff --git a/v4.10.0/HowToFAQ/FAQImportOneThing.md b/v4.10.0/HowToFAQ/FAQImportOneThing.md
new file mode 100644
index 0000000..c846f60
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQImportOneThing.md
@@ -0,0 +1,34 @@
+---
+title: I have a module that exports a bunch of things. In another module I only need to use 1 thing. Is there a way to import only the thing that I want?
+---
+
+## Question
+
+I have a module that exports a bunch of things. In another module I only need to use 1 thing. Is there a way to import only the thing that I want?
+
+## Answer
+
+The short answer is: use an export set.
+
+Here is an example. Suppose you have this code:
+``` dafny
+module A {
+  export JustJ reveals j
+  const i: int := 64
+  const j: int := 128
+}
+module B {
+  //import opened A // imports both i and j
+  import opened A`JustJ // just imports j
+}
+```
+The `export` directive in module `A` just exports the name `j` in the export set `JustJ`.
+So then you can import just `j` in `B` by importing ``A`JustJ``.
+
+You can create as many export sets as you like, for different contexts.
+See the details [here](../DafnyRef/DafnyRef#sec-export-sets-and-access-control).
+
+This feature does put the onus of defining the groups of exportable names on the supplying module.
+Your question asks for such control by the receiving module. The best course for the receiving
+module is to not use `import opened` and just use a qualified name for the one thing that is being used from the
+supplying module.
diff --git a/v4.10.0/HowToFAQ/FAQImportOpened.md b/v4.10.0/HowToFAQ/FAQImportOpened.md
new file mode 100644
index 0000000..0463f3c
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQImportOpened.md
@@ -0,0 +1,31 @@
+---
+title: A module A has names from an `import opened` of another module B, but if C imports A, it does not get those names. Please explain.
+---
+
+## Question
+
+A module A has names from an `import opened` or another module B, but if C imports A, it does not get those names. Please explain.
+
+## Answer
+
+Here is some example code:
+```dafny
+module A {
+  const a: int := 0
+}
+
+module B {
+  import opened A
+  const b: int := a; // This is A.a, known as a here because of the import opened
+}
+
+module C {
+  import opened B
+  const c: int := b; // This is B.b because of the import opened
+  const d: int := A.a; // B.A is known as A because of the import opened in B
+  const e: int := a; // ILLEGAL - opened is not transitive
+}
+```
+
+The `import opened` directive brings into the importing module all the names declared in the imported module,
+including the names of modules from import statements in the importee, but not names introduced into the importee (here `B`) by an import opened directive. `opened` is not transitive. As shown in the example code, the names in `A` are still available in `C` by qualifying them.
diff --git a/v4.10.0/HowToFAQ/FAQIncludes.md b/v4.10.0/HowToFAQ/FAQIncludes.md
new file mode 100644
index 0000000..5ec6800
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQIncludes.md
@@ -0,0 +1,16 @@
+---
+title: What's the syntax for paths in include directives? How do they get resolved?
+---
+
+## Question
+
+What's the syntax for paths in include directives? How do they get resolved?
+
+## Answer
+
+An include directive  is the `include` keyword followed by a string literal (in quotes).
+The string is a conventional file path for the OS on which you are running and is the full file name with extension.
+The filepath can be either absolute or relative; if relative, it is relative to the current working directory 
+(i.e., the result of `pwd` on Linux).
+
+As of version 3.7.3, there is no "include path" that might allow paths relative to other locations, but it is a feature request.
diff --git a/v4.10.0/HowToFAQ/FAQIssues.md b/v4.10.0/HowToFAQ/FAQIssues.md
new file mode 100644
index 0000000..410de54
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQIssues.md
@@ -0,0 +1,17 @@
+---
+title: How do I ask a question or file a problem report or make a suggestion about Dafny?
+---
+
+## Question
+
+How do I ask a question or file a problem report or make a suggestion about Dafny?
+
+## Answer
+
+You can ask questions about Dafny
+- on Stack Overflow, tagged as 'dafny': [https://stackoverflow.com/questions/tagged/dafny](https://stackoverflow.com/questions/tagged/dafny)
+
+You can report issues
+- On the Dafny Issues log: [https://github.com/dafny-lang/dafny/issues](https://github.com/dafny-lang/dafny/issues)
+
+Documentation about Dafny is available at [https://dafny.org](https://dafny.org) and links from there.
diff --git a/v4.10.0/HowToFAQ/FAQIterator.md b/v4.10.0/HowToFAQ/FAQIterator.md
new file mode 100644
index 0000000..f3f4c66
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQIterator.md
@@ -0,0 +1,45 @@
+---
+title: How do I create and use an iterator?
+---
+
+## Question
+
+How do I create and use an iterator?
+
+## Answer
+
+Here is an example of an iterator:
+```dafny
+iterator Gen(start: int) yields (x: int)
+  yield ensures |xs| <= 10 && x == start + |xs| - 1
+{
+  var i := 0;
+  while i < 10 invariant |xs| == i {
+    x := start + i;
+    yield;
+    i := i + 1;
+  }
+}
+```
+An instance of this iterator is created using
+```dafny
+iter := new Gen(30);
+```
+It is used like this:
+```
+method Main() {
+  var i := new Gen(30);
+  while true
+    invariant i.Valid() && fresh(i._new)
+    decreases 10 - |i.xs|
+  {
+    var m := i.MoveNext();
+    if (!m) {break; }
+    print i.x;
+  }
+}
+```
+Here the method `MoveNext` and the field `xs` (and others) are automatically created, 
+as decribed in the [reference manual](../DafnyRef/DafnyRef#sec-iterator-types).
+
+Note that the syntax of iterators is under discussion in the Dafny development team and may change or have additional alternatives in the future.
diff --git a/v4.10.0/HowToFAQ/FAQLambdaSpecifications.md b/v4.10.0/HowToFAQ/FAQLambdaSpecifications.md
new file mode 100644
index 0000000..6c3eaca
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQLambdaSpecifications.md
@@ -0,0 +1,56 @@
+---
+title: "How do I write specifications for a lambda expression in a sequence constructor?"
+---
+
+## Question
+
+How do I write specifications for a lambda expression in a sequence constructor?
+
+## Answer
+
+Consider the code
+```dafny
+class C {
+  var p: (int, int);
+}
+
+function Firsts0(cs: seq<C>): seq<int> {
+  seq(|cs|, i => cs[i].p.0) // Two errors: `[i]` and `.p`
+}
+```
+
+Dafny complains about the array index and an insufficient reads clause in the lambda function.
+Both of these need specifications, but where are they to be written.
+
+The specifications in a lamda function expression are written after the formal aarguments
+but before the `=>`.
+
+The array index problem is solved by a `requires` clause that limits the range of the index::
+```dafny
+class C {
+  var p: (int, int);
+}
+
+function Firsts0(cs: seq<C>): seq<int> {
+  seq(|cs|, i requires 0 <= i < |cs| => cs[i].p.0) // Two errors: `[i]` and `.p`
+}
+```
+
+and the reads complaint by a `reads` clause that states which objects will be read.
+In this case, it is the objects `cs[i]` that have their `p` field read.
+If the element type of `cs` were a value type instead of a reference type, this
+`reads` clause would be unnecessary.
+
+```dafny
+class C {
+  var p: (int, int);
+}
+
+function Firsts2(cs: seq<C>): seq<int>
+  reads set i | 0 <= i < |cs| :: cs[i]
+{
+  seq(|cs|, i
+    requires 0 <= i < |cs|
+    reads set i | 0 <= i < |cs| :: cs[i] => cs[i].p.0)
+}
+```
diff --git a/v4.10.0/HowToFAQ/FAQLoopModifies.md b/v4.10.0/HowToFAQ/FAQLoopModifies.md
new file mode 100644
index 0000000..7730d06
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQLoopModifies.md
@@ -0,0 +1,126 @@
+---
+title: If I have an assertion about an object (of class type) and a loop that doesn't mention (read, modify) the object, why does dafny fail to establish the assertion after the loop?
+---
+
+## Question
+
+If I have an assertion about an object and a loop that doesn't mention (read, modify) the class, 
+why does dafny fail to establish the assertion after the loop?
+
+## Answer
+
+The short answer is that you need an appropriate combination of modifies clauses and 
+loop invariants to prove assertions about the end result of a loop.
+
+In Dafny's way of reasoning about a loop (which is typical of verifier systems), 
+the loop invariant is the only thing you can assume at the top of every iteration. 
+In other words, at the top of each loop iteration, it is as if all variables have 
+arbitrary values, with the condition that the loop invariant is satisfied. 
+Sometimes, the word _havoc_ is used to describe this: the verifier havocs all variables, 
+that is, gives all variables arbitrary values, and then assumes the loop invariant.
+
+If that’s all the verifier did, life would be a pain, because you’d have to write a
+loop invariant about all variables in your program, even those that have nothing to do with the loop.
+The verifier actually does better. Instead of havocing all variables, it suffices to havoc 
+the assignment targets within the body of the loop, including anything that might be modified by methods called in the loop body. 
+That is, the verifier uses a simple syntactic scan of the loop body to see which 
+variables may possibly be assigned, and then it havocs only those variables. 
+This saves users from having to write loop invariants about all other variables.
+Only invariants about variables that are modified are needed.
+
+What about the heap? For this purpose, the heap is considered to be one variable. 
+So, the heap is either an assignment target of the loop or it isn’t. 
+This means that if your loop body assigns to anything in the heap, the heap becomes an assignment target. 
+Also, if the loop body allocates another object, that too is a change of the heap, 
+so the heap becomes an assignment target. 
+Furthermore, Dafny’s rule about a method is that a method is allowed to change the 
+state of any object in the method’s modifies clause, 
+and it is also allowed to allocate new objects and to modify their state. 
+Therefore, if your loop body calls a method, then the heap may well become an assignment target.
+
+So, then, does this mean your loop invariant needs to speak about everything in the heap whenever the heap is an assignment target of the loop?
+
+Again, no. Loops in Dafny have `modifies` clauses, just like methods do (and just like for methods, 
+newly allocated objects are implicitly included in those `modifies` clauses). 
+It would be a pain to even have to write `modifies` clauses for every loop, 
+so if a loop does not have an explicit `modifies` clause, Dafny implicitly attaches 
+the `modifies` clause of the enclosing method (or of the enclosing loop, in the case of nested loops). 
+This default behavior turns out to be right in almost all cases in practice, 
+which is why you normally don’t have to think about this issue.
+
+But when it is not, you need to be explicit about the `modifies` clause and the loop invariants. 
+In particular
+- write a `modifies` clause for the loop that includes all objects whose fields might be 
+assigned in the loop body (or listed in the modifies clauses of anything the loop body calls)
+- then write a loop invariant that includes assertions about any variable that is listed in the modifies clause
+or is an assignment target in the loop body. 
+Very typically, the invariant will give a value for each havoced variable showing its relationship to the loop index.
+
+For example, a loop that sets the elements of an array to some initial value might look like this:
+```dafny
+method init(a: array<int>) 
+  modifies a
+  ensures forall j | 0 <= j < a.Length :: a[j] == j
+{
+  var i := 0;
+
+  while i < a.Length
+    modifies a
+    invariant 0 <= i <= a.Length && forall j | 0 <= j < i :: a[j] == j
+  {
+    a[i] := i;
+    i := i + 1;
+  }
+}
+```
+
+Note the following points:
+- The method specifies that it might modify the elements of the array `a`.
+- The loop says that it modifies the same array. 
+In fact that modifies clause could be omitted
+because it would be inherited from the enclosing context.
+- The loop also modifies `i`, but as `i` is a local variable, it need not be listed in the modifies clause.
+- The loop also has an invariant, which has two conjuncts:
+   - One conjunct talks about the local variable `i`. Even though `i` is not in the modifies clause 
+    it is an assignment target, so we need to say what is known about it (prior to the loop test).
+   - The other conjunct talks about the elements of `a`, which depend on `i`, 
+    that is, on how many iterations of the loop have been executed.
+- After the loop, Dafny uses the loop invariant and the negation of the loop guard to conclude `i == a.Length`, and from that and the invariant, Dafny can prove the method's postcondition.
+
+Even when Dafny can infer an appropriate modifies clause, it does not infer loop invariants, so the user always needs to supply those. 
+
+Here is another example:
+```dafny
+class Counter {
+  var n: nat
+}
+
+// print "hello" c.n times and then increment c.n
+method PrintAndIncrement(c: Counter)
+  modifies c
+  ensures c.n == old(c.n) + 1
+{
+  for _ := 0 to c.n
+    // To verify this method, the loop needs one of the following two lines:
+    invariant c.n == old(c.n)
+    modifies {} // empty modifies clause
+  {
+    PrintHello();
+  }
+  c.n := c.n + 1;
+}
+
+method PrintHello() {
+  print "hello\n";
+}
+```
+The for-loop can be specified and the whole method verified in two different ways.
+
+First, suppose we do not include a modifies clause in the loop specifications of the loop.
+Then dafny will use the enclosing modifies clause, which allows changing the
+state of `c`. In order for the method body to know that the loop has not 
+changed `c.n`, the loop needs the invariant `c.n == old(c.n)`.
+
+Alternatively, the loop can specify its own modifies clause,
+`modifies {}`, saying it modifies nothing. Then it follows directly that
+`c.n` does not change in the loop, so no invariant is needed to carry out the proof.
diff --git a/v4.10.0/HowToFAQ/FAQMapExtensionality.md b/v4.10.0/HowToFAQ/FAQMapExtensionality.md
new file mode 100644
index 0000000..84fa6e0
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQMapExtensionality.md
@@ -0,0 +1,108 @@
+---
+title: I have a lemma and later an assert stating the postcondition of the lemma, but it fails to prove. Why and how do I fix it?
+---
+
+## Question: I have a lemma and later an assert stating the postcondition of the lemma, but it fails to prove. Why and how do I fix it?
+
+I have this lemma
+```dafny
+    lemma MapKeepsCount<X,Y,Z>(m : map<X,Y>, f : (X) -> Z)
+      requires forall a : X, b : X :: a != b ==> f(a) != f(b)
+      ensures |m| == |map k <- m.Keys :: f(k) := m[k]|
+```
+and later on this code
+```dafny
+MapKeepsCount(schema, k => Canonicalize(tableName, k));
+assert |schema| == |map k <- schema.Keys | true :: Canonicalize(tableName, k) := schema[k]|;
+```
+
+The final assert fails, even though it exactly matches the ensures of the lemma.
+What am I missing? 
+
+If the lemma is an axiom, one can try to assume the post condition right before the assertion. 
+But that failed in this case
+
+```dafny
+MapKeepsCount(schema, k => Canonicalize(tableName, k));
+assume |schema| == |map k <- schema.Keys | true :: Canonicalize(tableName, k) := schema[k]|;
+assert |schema| == |map k <- schema.Keys | true :: Canonicalize(tableName, k) := schema[k]|;
+```
+
+Which makes no sense.
+I even put the function into a variable, and this still fails
+```dafny
+assume |schema| == |map k <- schema.Keys :: fn(k) := schema[k]|;
+assert |schema| == |map k <- schema.Keys :: fn(k) := schema[k]|;
+```
+
+## Answer:
+
+The explanation is a little involved, and in the end gets into a weakness of Dafny. But these is a workaround. Here goes:
+
+To prove that the `|map …|` expression in the specification has the same value as the `|map …|` expression in the code, 
+the verifier would either have to compute the cardinality of each map (which it can’t do, because `m.Keys` is symbolic and could stand for any size set) 
+or reason that the one `map …` is the very same map as the other `map …` (in which case it would follow that the cardinality of the two maps are also the same).
+The way to prove that two maps are equal is to show that they have the same keys and the same mappings. 
+The idea of proving two things equal by looking at the “elements” of each of the two things is called extensionality. 
+Dafny never tries to prove extensionality, but it’s happy to do it if you ask it to. 
+For example, if `G` is a function that you know nothing about and you ask to prove
+```dafny
+assert G(s + {x}) == G({x} + s + {x});
+```
+then Dafny will complain. You have to first establish that the arguments to these two invocations of `G` are the same, which you can do with an assert:
+```dafny
+assert s + {x} == {x} + s + {x};
+assert G(s + {x}) == G({x} + s + {x});
+```
+
+Here, Dafny will prove the first assertion (which it actually does by proving that the sets are elementwise equal) and will then use the first assertion to prove the second.
+Going back to your example, Dafny needs to know that the two `map`s are equal. To help it along, perhaps you could mention the two in an assertion, like
+
+`assert map … == map …;`
+
+But you can’t do that here, because the two map expressions are in different scopes and use different variables.
+To establish that the two maps are equal, we thus need to do something else. 
+If the two of them looked the same, then Dafny would know that the are the same. 
+But the form is slightly different, because you are (probably without thinking about it) instantiating a lambda expression. 
+To make them the same, you could rewrite the code to:
+```dafny
+  var F := k => Canonicalize(tableName, k);
+  MapKeepsCount(schema, F);
+  assert |schema| == |map k <- schema.Keys | true :: F(k) := schema[k]|;
+```
+
+Now, this `map …` syntactically looks just like the one in the lemma postcondition, but with `schema` instead of `m` and with `F` instead of `f`. 
+When two map comprehensions (or set comprehensions, or lambda expressions) are syntactically the same like this, then Dafny knows to treat them the same.
+Almost. 
+Alas, there’s something about this example that makes what I said not quite true (and I didn’t dive into those details just now). 
+There is a workaround, and this workaround is often useful in places like this, so I’ll mention it here. 
+The workaround is to give the comprehension a name. Then, if you use the same name in both the caller and callee, 
+Dafny will know that they are the same way of constructing the map. 
+The following code shows how to do it: 
+```dafny
+lemma MapKeepsCount<X, Y, Z>(m: map<X, Y>, f: X -> Z)
+  requires forall a: X, b: X :: a != b ==> f(a) != f(b)
+  ensures |m| == |MyMap(f, m)|
+
+ghost function MyMap<X, Y, Z>(f: X -> Y, m: map<X, Z>): map<Y, Z>
+  requires forall a <- m.Keys, b <- m.Keys :: a != b ==> f(a) != f(b)
+{
+  map k <- m.Keys :: f(k) := m[k]
+}
+
+method Use<X,Y,Z>(schema: map<X,Y>, tableName: TableName)
+  requires forall a : X, b : X :: a != b ==> Canonicalize(tableName, a) != Canonicalize(tableName, b)
+{
+  var F := k => Canonicalize(tableName, k);
+  MapKeepsCount(schema, F);
+  assert |schema| == |MyMap(F, schema)|;
+}
+
+
+type TableName
+
+function SimpleCanon<K>(t: TableName, k: K): int
+
+```
+
+It manually introduces a function `MyMap`, and by using it in both caller and callee, the code verifies.
diff --git a/v4.10.0/HowToFAQ/FAQMapMembership.md b/v4.10.0/HowToFAQ/FAQMapMembership.md
new file mode 100644
index 0000000..96f695c
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQMapMembership.md
@@ -0,0 +1,36 @@
+---
+title: "Why does Dafny not know this obvious property of maps?"
+---
+
+** Question: Why does Dafny not know this obvious property of maps?
+
+I have this simple program:
+
+```dafny
+method mmm<K(==),V(==)>(m: map<K,V>, k: K, v: V) {
+    var mm := m[k := v];
+    assert v in mm.Values;
+  }
+```
+
+The value `v` has just been inserted into the map. Why can't Dafny prove that `v` is now an element of the map?
+
+** Answer
+
+Dafny does not include all possible properties of types in its default set of axioms. The principal reason for this
+is that including all axioms can give Dafny too much information, such that finding proofs becomes more time-consuming
+for all (or most) problems. The trade-off is that the user has to give hints more often.
+
+In this particular example, in order for Dafny to prove that `v` is in `mm.Values`, it needs to prove that
+`exists k': K :: k' in mm.Keys && mm[k'] == v`. This is a difficult assertion to prove; the use of the axiom is not triggered
+unless there is some term of the form `_ in mm.Keys` present in the assertions. So the proof is made much easier if we
+first assert that `k in mm.Keys`; then Dafny sees immediately that `k` is the `k'` needed in the exists expression.
+So
+```dafny
+method mmm<K(==),V(==)>(m: map<K,V>, k: K, v: V) {
+    var mm := m[k := v];
+    assert k in mm.Keys;
+    assert v in mm.Values;
+  }
+```
+proves just fine.
diff --git a/v4.10.0/HowToFAQ/FAQMatchOnSet.md b/v4.10.0/HowToFAQ/FAQMatchOnSet.md
new file mode 100644
index 0000000..0041c53
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQMatchOnSet.md
@@ -0,0 +1,12 @@
+---
+title: How do I pattern match against a head and tail of a sequence or against a set?
+---
+
+## Question
+
+How do I pattern match against a head and tail of a sequence or against a set?
+
+## Answer
+
+You can't. Match [expressions](../DafnyRef/DafnyRef#sec-match-expression) and [statements](../DafnyRef/DafnyRef#sec-match-statement) operate on `datatype` values and not on other Dafny types like sets, sequences, and maps. If statements, perhaps with [binding guards](../DafnyRef/DafnyRef#sec-binding-guards), may be an alternative.
+
diff --git a/v4.10.0/HowToFAQ/FAQMepSetSeq.md b/v4.10.0/HowToFAQ/FAQMepSetSeq.md
new file mode 100644
index 0000000..f0d3f03
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQMepSetSeq.md
@@ -0,0 +1,14 @@
+---
+title: How do I create a new empty map (or set or sequence)?
+---
+
+## Question
+
+How do I create a new empty map (or set or sequence)?
+
+## Answer
+
+An empty sequence is denoted by `[]`, an empty set by `{}`, an empty multiset by `multiset{}`,  and an empty map by
+`map[]`. The type of the empty collection is typically inferred from its subsequent use.
+
+The various operations on values of these types are described [in the reference manual section on Collection Types](../DafnyRef/DafnyRef#sec-collection-types).
diff --git a/v4.10.0/HowToFAQ/FAQMethodSequence.md b/v4.10.0/HowToFAQ/FAQMethodSequence.md
new file mode 100644
index 0000000..9922fbe
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQMethodSequence.md
@@ -0,0 +1,16 @@
+---
+title: Is there a way to use methods within expressions?
+---
+
+## Question
+
+Is there a way to use methods within expressions?
+
+## Answer
+
+No. Dafny distinguishes statements and expressions. Statements are permitted to update variables and fields (that is, have side-effects); expressions are not allowed to do so. In general, methods may have side-effects and so Dafny does not allow methods in expressions.
+So you need to call each method in a statement of its own, using temporary local variables to record the results,
+and then formulate your expression.
+
+If the methods in question do not have side-effects, they can be rewritten as functions or 'function by method'
+and then the syntax decribed above is fine.
diff --git a/v4.10.0/HowToFAQ/FAQModifiesOne.md b/v4.10.0/HowToFAQ/FAQModifiesOne.md
new file mode 100644
index 0000000..51014e8
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQModifiesOne.md
@@ -0,0 +1,13 @@
+---
+title: Is there a way to specify that all fields of an object, except a given one, don’t change?
+---
+
+## Question
+
+Is there a way to specify that all fields of an object, except a given one, don’t change?
+
+## Answer
+
+Instead of writing `modifies this` or `modifies o`, you can write ``modifies this`f`` (equivalently ``modifies `f``)
+or ``modifies o`f``
+to indicate that just the field `f` of `this` or `o`, respectively, may be assigned to.
diff --git a/v4.10.0/HowToFAQ/FAQModifiesThis.md b/v4.10.0/HowToFAQ/FAQModifiesThis.md
new file mode 100644
index 0000000..b822f31
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQModifiesThis.md
@@ -0,0 +1,17 @@
+---
+title: What is the difference between modifies this, modifies this.x, and modifies this`x?
+---
+
+## Question
+
+What is the difference between `modifies this`, `modifies this.x`, and ``modifies this`x``?
+
+## Answer
+
+A `modifies` clause for a method lists object references whose fields may be modified by the body of the method.
+- `this` means that all the fields of the `this` object may be modified by the body
+- `this.x` (where `x` is a field of `this` and has some reference type) means that fields of `x` may be modified (but not the field `x` itself of `this`)
+- ``this`x`` means that just the field `x` of `this` may be modified (and not any other fields, unless they are listed themselves)
+
+If there are multiple items listed in the modifies clause, the implicit clause is the union of all of them.
+More on framing (`modifies` and `reads` clauses) can be found in the [reference manual section on Framing specifications](../DafnyRef/DafnyRef#sec-frame-expression).
diff --git a/v4.10.0/HowToFAQ/FAQModuleImport.dfy b/v4.10.0/HowToFAQ/FAQModuleImport.dfy
new file mode 100644
index 0000000..a449a14
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQModuleImport.dfy
@@ -0,0 +1,15 @@
+module A {
+  type D = string
+}
+
+module Y {
+  import opened A
+
+  module X {
+    type X = D
+  }
+
+  module Z {
+    type Z = D
+  }
+}
diff --git a/v4.10.0/HowToFAQ/FAQModuleImport.md b/v4.10.0/HowToFAQ/FAQModuleImport.md
new file mode 100644
index 0000000..c8110bd
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQModuleImport.md
@@ -0,0 +1,22 @@
+---
+title: Why do nested modules not see the imports of their enclosing modules?
+---
+
+## Question
+
+Why is my import opened statement not working in the following example:
+```
+{% include_relative FAQModuleImport.dfy %}
+```
+
+## Answer
+
+Although nested modules are nested inside other modules, they should really be thought of as their own module.
+There is no particular benefit to module `A.B` from being nested inside module `A` --- none of the declarations of `A` are visible in `B` other than the names of sibling modules of `B`.
+The benefit is to module `A`, for which the nested module `B` is a namespace that can group some related declarations together.
+
+Accordingly, if you want some names from another module to be available within a submodule, you must import that directly in the submodule.
+The example above becomes this:
+```
+{% include_relative FAQModuleImport1.dfy %}
+```
diff --git a/v4.10.0/HowToFAQ/FAQModuleImport.txt b/v4.10.0/HowToFAQ/FAQModuleImport.txt
new file mode 100644
index 0000000..0e298a7
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQModuleImport.txt
@@ -0,0 +1,3 @@
+FAQModuleImport.dfy(9,13): Error: Undeclared top-level type or type parameter: D (did you forget to qualify a name or declare a module import 'opened'?)
+FAQModuleImport.dfy(13,13): Error: Undeclared top-level type or type parameter: D (did you forget to qualify a name or declare a module import 'opened'?)
+2 resolution/type errors detected in FAQModuleImport.dfy
diff --git a/v4.10.0/HowToFAQ/FAQModuleImport1.dfy b/v4.10.0/HowToFAQ/FAQModuleImport1.dfy
new file mode 100644
index 0000000..3592a17
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQModuleImport1.dfy
@@ -0,0 +1,16 @@
+module A {
+  type D = string
+}
+
+module Y {
+
+  module X {
+    import opened A
+    type X = D
+  }
+
+  module Z {
+    import opened A
+    type Z = D
+  }
+}
diff --git a/v4.10.0/HowToFAQ/FAQModuleNames.dfy b/v4.10.0/HowToFAQ/FAQModuleNames.dfy
new file mode 100644
index 0000000..3cb735c
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQModuleNames.dfy
@@ -0,0 +1,15 @@
+module util {
+  const x: nat := 0
+}
+
+module util_ {
+  import util
+}
+
+module java {
+  module util {
+    import util_
+    const y: nat := util_.util.x
+    method test() { assert y == 0; }
+  }
+}
diff --git a/v4.10.0/HowToFAQ/FAQModuleNames.md b/v4.10.0/HowToFAQ/FAQModuleNames.md
new file mode 100644
index 0000000..a33c03b
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQModuleNames.md
@@ -0,0 +1,21 @@
+---
+title: How do I disambiguate module names?
+---
+
+## Question
+
+How do I disambiguate module names in an example like this:
+```dafny
+{% include_relative FAQModuleNames0.dfy %}
+```
+
+## Answer
+
+There is no direct syntax to do what is wanted here.
+If you have control of the names, perhaps some renaming or moving the top-level `util` to be a sub-module of another module.
+If this structure cannot be changed, then the following somewhat ugly code is a work-around:
+```dafny
+{% include_relative FAQModuleNames.dfy %}
+```
+
+There is discussion of defining syntax that names the top-level module, which would make an easy way to solve the above problem. See [this issue](https://github.com/dafny-lang/dafny/issues/2493).
diff --git a/v4.10.0/HowToFAQ/FAQModuleNames0.dfy b/v4.10.0/HowToFAQ/FAQModuleNames0.dfy
new file mode 100644
index 0000000..aa835a2
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQModuleNames0.dfy
@@ -0,0 +1,10 @@
+module util {
+  const x: nat := 0
+}
+
+module java {
+  module util {
+    const y: nat := util.x
+    method test() { assert y == 0; }
+  }
+}
diff --git a/v4.10.0/HowToFAQ/FAQModuleNames0.txt b/v4.10.0/HowToFAQ/FAQModuleNames0.txt
new file mode 100644
index 0000000..1b04fd1
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQModuleNames0.txt
@@ -0,0 +1,2 @@
+FAQModuleNames0.dfy(7,20): Error: unresolved identifier: util
+1 resolution/type errors detected in FAQModuleNames0.dfy
diff --git a/v4.10.0/HowToFAQ/FAQMonadic.md b/v4.10.0/HowToFAQ/FAQMonadic.md
new file mode 100644
index 0000000..e77b66c
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQMonadic.md
@@ -0,0 +1,36 @@
+---
+title: Does Dafny have monadic error handling?
+---
+
+## Question
+
+Does Dafny have monadic error handling?
+
+## Answer
+
+Yes.
+
+In particular, see the section of the reference manual on [Update with Failure statements](../DafnyRef/DafnyRef#sec-update-failure).
+The (draft) standard library includes [some types needed for error handling](https://github.com/dafny-lang/libraries/blob/master/src/Wrappers.dfy).
+
+You can define your own monadic error type by following examples in the RM and the draft library. A simple case is
+```dafny
+datatype Outcome<T> =
+            | Success(value: T)
+            | Failure(error: string)
+{
+  predicate IsFailure() {
+    this.Failure?
+  }
+  function PropagateFailure<U>(): Outcome<U>
+    requires IsFailure()
+  {
+    Failure(this.error) // this is Outcome<U>.Failure(...)
+  }
+  function Extract(): T
+    requires !IsFailure()
+  {
+    this.value
+  }
+}
+```
diff --git a/v4.10.0/HowToFAQ/FAQMultClauses.md b/v4.10.0/HowToFAQ/FAQMultClauses.md
new file mode 100644
index 0000000..6f130ec
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQMultClauses.md
@@ -0,0 +1,19 @@
+---
+title: When a lemma has multiple ensures clauses, I’m finding that they interact, when I expected them to be independent.  For example, commenting out one of them can make another one not verify.  How should I think about this?
+---
+
+## Question
+
+When a lemma has multiple ensures clauses, I’m finding that they interact, when I expected them to be independent.  For example, commenting out one of them can make another one not verify.  How should I think about this?
+
+## Answer
+
+Multiple ensures clauses, such as `ensures P ensures Q ensures R` is equivalent to the conjunction, in order, of the ensures predicates: `ensures P && Q && R`.
+The order is important if an earlier predicate is needed to be sure that a later one is well defined. For example,
+if `a` is an `array?`, the two predicates in `ensures a != null ensures a.Length > 0`
+must be in that order because `a.Length` is well-defined only if `a != null`.
+
+In addition, sometimes one ensures clause serves as an intermediate reasoning step for the next one. Without the earlier clause, Dafny can have trouble proving the second one, even though it is valid.
+With the first predicate as an intermediate step, the second is then more easily proved.
+
+This order dependence of postconditions is also the case for preconditions and loop invariants
diff --git a/v4.10.0/HowToFAQ/FAQMutualRecursion.md b/v4.10.0/HowToFAQ/FAQMutualRecursion.md
new file mode 100644
index 0000000..15797d3
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQMutualRecursion.md
@@ -0,0 +1,80 @@
+---
+title: How do I make Dafny termination checking happy with mutual recursion?
+---
+
+## Question
+
+How do I make Dafny termination checking happy with mutual recursion, like the following example:
+```dafny
+datatype T = Y | N | B(T,T)
+
+function f(x : T) : bool {
+    match x {
+        case Y => true
+        case N => false
+        case B(x,y) => g(x,y)
+    }
+}
+
+function g(x : T, y : T) : bool {
+    f(x) && f(y)
+}
+```
+
+If `g` is inlined there is no problem. What should I do?
+
+## Answer
+
+Termination of recursion is proved using a `decreases` clause. For the single function
+Dafny can successfully guess a decreases metric. But for this mutual recursion case,
+the user must supply on.
+
+The termination metric for a recursive datatype (like `T` here) is the height of the tree denoted by the argument `x`, in this case.
+So there is definitely a decrease in the metric from the call of `f` to the call of `g`, but there is not when `g` calls `f`.
+One solution to this situation is the following:
+```dafny
+datatype T = Y | N | B(T,T)
+
+function f(x : T) : bool 
+  decreases x, 1
+{
+    match x {
+        case Y => true
+        case N => false
+        case B(x,y) => g(x,y)
+    }
+}
+
+function g(x : T, y : T) : bool 
+  decreases B(x,y), 0
+{
+    f(x) && f(y)
+}
+```
+Here when `f` calls `g`, the metric goes from `x, 1` to `B(x.x, x.y), 0`. Because `x` is the same as `B(x.x, x.y)`, the lexicographic ordering looks
+at the next component, which does decrease from `1` to `0`. Then in each case that `g` calls `f`, the metric goes from `B(x,y), 0` to `x,1` or `y,1`,
+which decreases on the first component.
+
+Another solution, which is a pattern applicable in other circumstances as well, is to use a ghost parameter as follows:
+```dafny
+datatype T = Y | N | B(T,T)
+
+function f(x : T) : bool
+  decreases x, 1
+{
+  match x {
+    case Y => true
+    case N => false
+    case B(x',y') => g(x,x',y')
+  }
+}
+
+function g(ghost parent: T, x : T, y : T) : bool
+  decreases parent, 0
+  requires x < parent && y < parent
+{
+  f(x) && f(y)
+}
+```
+
+More on the topic of termination metrics can be found [here](../DafnyRef/DafnyRef#sec-decreases-clause).
diff --git a/v4.10.0/HowToFAQ/FAQNameConflict.dfy b/v4.10.0/HowToFAQ/FAQNameConflict.dfy
new file mode 100644
index 0000000..c81920a
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQNameConflict.dfy
@@ -0,0 +1,10 @@
+module Result {
+  datatype Result<T> = Success(x: T) | Failure(e: string)
+}
+module Test {
+  import opened Result
+  function method f(): Result<int>
+  {
+    Success(0)
+  }
+}
diff --git a/v4.10.0/HowToFAQ/FAQNameConflict.md b/v4.10.0/HowToFAQ/FAQNameConflict.md
new file mode 100644
index 0000000..77b63a3
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQNameConflict.md
@@ -0,0 +1,27 @@
+---
+title: Dafny doesn’t like when a type and a module have the same name. How can I fix this?
+---
+
+## Question
+
+Dafny doesn’t like when a type and a module have the same name. How can I fix this?
+```
+{% include_relative FAQNameConflict.dfy %}
+```
+produces
+```
+{% include_relative FAQNameConflict.txt %}
+```
+
+## Answer
+
+The problem is that in the `Test` module, the name `Result` is both a module name and a datatype name.
+The module name takes precedence and so the resolution error happens.
+(Despite the error message, modules never have type arguments.)
+
+This situation can be fixed two ways. First, write `Result.Result` to mean the datatype. Or second, 
+import the module with a new name, such as `import opened R = Result`. Then inside module Test, there is
+the name `R` for a module and the name `Result` for the datatype. The following code shows both these options.
+```
+{% include_relative FAQNameConflict1.dfy %}
+```
diff --git a/v4.10.0/HowToFAQ/FAQNameConflict.txt b/v4.10.0/HowToFAQ/FAQNameConflict.txt
new file mode 100644
index 0000000..020f971
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQNameConflict.txt
@@ -0,0 +1,2 @@
+FAQNameConflict.dfy(6,23): Error: Wrong number of type arguments (1 instead of 0) passed to module: Result
+1 resolution/type errors detected in FAQNameConflict.dfy
diff --git a/v4.10.0/HowToFAQ/FAQNameConflict1.dfy b/v4.10.0/HowToFAQ/FAQNameConflict1.dfy
new file mode 100644
index 0000000..f114576
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQNameConflict1.dfy
@@ -0,0 +1,17 @@
+module Result {
+  datatype Result<T> = Success(x: T) | Failure(e: string)
+}
+module Test {
+  import opened Result
+  function method f(): Result.Result<int>
+  {
+    Success(0)
+  }
+}
+module Test1 {
+  import opened R = Result
+  function method f(): Result<int>
+  {
+    Success(0)
+  }
+}
diff --git a/v4.10.0/HowToFAQ/FAQNeedsAssert.md b/v4.10.0/HowToFAQ/FAQNeedsAssert.md
new file mode 100644
index 0000000..b7221b6
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQNeedsAssert.md
@@ -0,0 +1,25 @@
+---
+title: Why does Dafny need an obvious assert?
+---
+
+## Question:
+
+Why does Dafny need the assert in this example:
+```
+lemma Foo<T>(s: seq<T>, p: seq<T> -> bool)
+  requires p(s[..|s|])
+  ensures p(s)
+{
+  assert s[..|s|] == s;
+}
+```
+
+## Answer
+
+Not all facts about built-in types are built-in to Dafny.
+Some, like this one, need to be asserted or otherwise provided as provable lemmas.
+
+The reason is that trying to provide all seemingly obvious facts is both
+a never-ending chase and, importantly, can lead to trigger loops, proof instabilities, and overall poor performance.
+The importance of having proofs be stable and performance be generally fast outweighs building in all the properties of built-in types that might otherwise be reasonable.
+
diff --git a/v4.10.0/HowToFAQ/FAQNestedModule.dfy b/v4.10.0/HowToFAQ/FAQNestedModule.dfy
new file mode 100644
index 0000000..ce8cce1
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQNestedModule.dfy
@@ -0,0 +1,7 @@
+module A {
+  const SIZE := 10
+
+  module B {
+    const MYSIZE := SIZE
+  }
+}
diff --git a/v4.10.0/HowToFAQ/FAQNestedModule.md b/v4.10.0/HowToFAQ/FAQNestedModule.md
new file mode 100644
index 0000000..ffd211e
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQNestedModule.md
@@ -0,0 +1,55 @@
+---
+title: Can I access the members of an outer module from its inner module?
+---
+
+## Question
+
+Can I access the members of an outer module from its inner module?
+```dafny
+{% include_relative FAQNestedModule.dfy %}
+```
+
+## Answer
+
+No. The above example gives the error messages
+```text
+{% include_relative FAQNestedModule.txt %}
+```
+
+From a module you may access your own nested modules.
+You may also access sibling modules and nested modules of sibling modules, but you need to import them.
+That includes sibling modules of a module's own enclosing modules.
+You may not access members of enclosing modules, including members declared at the global level (which are members of an implicit top-level module that includes everything in the program).
+
+In general, there is a dependency order among modules: a module _depends on_ modules whose members it uses.
+A module depends on its own nested modules.
+A program cannot have circular dependencies: a module A cannot use members of module B if B (transitively) depends on A.
+
+```dafny
+module A {
+  module B {
+    const S1 := 10
+  }
+}
+
+const S2 := 21
+const S3 := C.D.A.B.S1 // OK
+
+module C {
+  module D {
+    import A // OK - A is sibling of C
+    import A.B // OK
+    import E // OK - E is sibling of D
+    import E.F // OK
+    // import C // NOT OK - C is enclosing module
+    // import EE = C.E // NOT OK -- can't access enclosing module
+    // const X := S2 // NOT OK -- can't access top-level module
+    const Y := B.S1 // OK - B is imported module
+  }
+  module E {
+    module F {
+    }
+  }
+}
+```
+
diff --git a/v4.10.0/HowToFAQ/FAQNestedModule.txt b/v4.10.0/HowToFAQ/FAQNestedModule.txt
new file mode 100644
index 0000000..30714cb
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQNestedModule.txt
@@ -0,0 +1,4 @@
+FAQNestedModule.dfy(5,20): Error: unresolved identifier: SIZE
+FAQNestedModule.dfy(5,10): Error: const field's type is not fully determined
+FAQNestedModule.dfy(4,9): Error: not resolving module 'A' because there were errors in resolving its nested module 'B'
+3 resolution/type errors detected in FAQNestedModule.dfy
diff --git a/v4.10.0/HowToFAQ/FAQNewline.md b/v4.10.0/HowToFAQ/FAQNewline.md
new file mode 100644
index 0000000..ac41e38
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQNewline.md
@@ -0,0 +1,28 @@
+---
+title: It looks like, when compiling to C#, my print statements don't show up if I don't have \n at the end of the string.
+---
+
+## Question
+
+It looks like, when compiling to C#, my print statements don't show up if I don't have \n at the end of the string.
+
+## Answer
+
+The desired output is present in all current Dafny backends. But note that
+if the print statement does not include the `\n`, then the output may not either.
+In that case the output may be (depending on the shell you are using)
+concatenated with the prompt for the next user input.
+
+For example,
+```dafny
+method Main() {
+  print "Hi";
+}
+```
+produces (with a bash shell)
+```
+mydafny $ dafny run --target=cs Newline.dfy 
+
+Dafny program verifier finished with 0 verified, 0 errors
+Himydafny $
+```
diff --git a/v4.10.0/HowToFAQ/FAQNewtype.dfy b/v4.10.0/HowToFAQ/FAQNewtype.dfy
new file mode 100644
index 0000000..7b1c7ce
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQNewtype.dfy
@@ -0,0 +1,12 @@
+type int8 = x: int | -256 <= x < 256
+newtype nint8 = x : int | -256 <= x < 256
+
+method test(i: int, i8: int8, ni8: nint8) {
+  var j: int, j8: int8, nj8: nint8;
+  if -256 <= i < 256 { j8 := i; } // implicit conversion OK if in range
+  if -256 <= i < 256 { nj8 := i as nint8; } // explicit conversion required
+  j := i8; // always allowed
+  j := ni8 as int; // explicit conversion required
+}
+  
+
diff --git a/v4.10.0/HowToFAQ/FAQNewtype.md b/v4.10.0/HowToFAQ/FAQNewtype.md
new file mode 100644
index 0000000..3cf3e49
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQNewtype.md
@@ -0,0 +1,31 @@
+---
+title: What is the difference between a type and a newtype?
+---
+## Question
+
+One can define a _subset type_ like this
+```
+type int8 = x: int | -128 <= x < 128
+```
+and a newtype like this
+```
+newtype nint8 = x | -128 <= x < 128
+```
+
+What is the difference?
+
+## Answer
+
+In both cases, the values in the type are limited to the given range,
+but a _newtype_ intends to define a whole new type that, although still based on integers and allowing integer operations,
+is not intended to be mixed with integers.
+
+This is evident in the allowed conversions, as shown in this example code:
+```
+{% include_relative FAQNewtype.dfy %}
+```
+
+The other important characteristic of `newtype`s is that they may have a different representation in the compilation target language.
+Subset types are always represented in the same way as the base type.  But a newtype may use a different representation.
+For example, the newtype defined above might use a `byte` representation in Java, whereas an `int` is a `BigInteger`.
+The representation of a newtype can be set by the program author using the [`{:nativeType}`](../DafnyRef/DafnyRef#sec-nativetype) attribute.
diff --git a/v4.10.0/HowToFAQ/FAQNoBody.md b/v4.10.0/HowToFAQ/FAQNoBody.md
new file mode 100644
index 0000000..13cff89
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQNoBody.md
@@ -0,0 +1,29 @@
+---
+title: "Is there a way to prevent 'Warning: note, this forall statement has no body' from occurring? I have a forall loop with no body that results in the lemma verifying, but if I add a body (even an empty body) the lemma doesn't verify."
+---
+
+## Question
+
+Is there a way to prevent "Warning: note, this forall statement has no body" from occurring? I have a forall loop with no body that results in the lemma verifying, but if I add a body (even an empty body) the lemma doesn't verify.
+
+## Answer
+
+The Dafny verifier allows you to omit the body of various constructs. For example, if you write a method without a body, the verifier will gladly check calls to the method against that specification (after checking the well-formedness of the method specification). This is nice, because it lets you write the specification of a method and then start using it in other places, only to later return to filling in the body of the method.
+
+The verifier is happy with such a body-less thing, but the once verification is done and you’re asking Dafny to compile your program, the compiler will complain, because it doesn’t know how to synthesize code for the method specification you wrote.
+
+You can also do this with loops. For example, you can write
+```dafny
+while i < N
+  invariant s == i * (i + 1) / 2
+```
+and not give a body. Again, the verifier is happy and will gladly check the rest of the code that follows the loop. This allows you to write down the loop invariant and make sure that the code after the loop is fine, only to later return to filling in the loop body.
+
+If you leave off the body of a loop, Dafny will gently remind you of this by giving a warning like “this loop statement has no body”.
+
+The forall statement is an aggregate statement. It simultaneously performs something for all values of the bound variables. In proofs, the forall statement is used as the counterpart of what logicians call “universal introduction”. In code, the forall statement has various restrictions, and is typically used to initialize all elements of an array.
+The forall statement can also be declared without a body. Again, the verifier is happy to reason about its use, but the compiler would complain that there’s no body.
+
+So, in the end, you do need to prove a body for your forall statements. You’ll have to make sure the body establishes the postcondition of the forall statement.
+
+And even for functions and lemmas without bodies, even though the verify does not complain, they are unproved assumptions in your program.
diff --git a/v4.10.0/HowToFAQ/FAQNoTermCheck.md b/v4.10.0/HowToFAQ/FAQNoTermCheck.md
new file mode 100644
index 0000000..c03cf39
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQNoTermCheck.md
@@ -0,0 +1,23 @@
+---
+title: Can I ask Dafny to not check termination of a function?
+---
+
+## Question
+
+Can I ask dafny to not check termination of a function?
+
+## Answer
+
+Functions must always terminate, and it must be proved that they terminate.
+
+Methods on the other hand should also terminate , but you can request the the proof be skipped using `decreases *`, as in
+```dafny
+method inf(i: int)
+    decreases *
+  {
+      inf(i); 
+  }
+```
+
+Eventually you should put an actual termination metric in place of the `*` and prove termination.
+The reference manual has more information about termination metrics [in the section on `decreases` clauses](../DafnyRef/DafnyRef#sec-decreases-clause).
diff --git a/v4.10.0/HowToFAQ/FAQNonlinearArith.md b/v4.10.0/HowToFAQ/FAQNonlinearArith.md
new file mode 100644
index 0000000..0282d94
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQNonlinearArith.md
@@ -0,0 +1,11 @@
+---
+title: How can I improve automation and performance for programs with non-linear arithmetic?
+---
+
+## Question
+
+How can I improve automation and performance for programs with non-linear arithmetic?
+
+## Answer
+
+There are some switches (/arith and the somewhat deprecated /noNLarith) that reduce the automation you get with nonlinear arithmetic; they improve the overall proof success by using manually introduced lemmas instead. There are now also many lemmas about nonlinear arithmetic in the Dafny standard library.
diff --git a/v4.10.0/HowToFAQ/FAQNuget.md b/v4.10.0/HowToFAQ/FAQNuget.md
new file mode 100644
index 0000000..134ffa6
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQNuget.md
@@ -0,0 +1,12 @@
+---
+title: Any plans to release the language server as a NuGet package? Seems like it’s not part of the Dafny release.
+---
+
+## Question
+
+Any plans to release the language server as a NuGet package? Seems like it’s not part of the Dafny release.
+
+## Answer
+
+It is now available on NuGet, along with other components of the Dafny:
+([https://www.nuget.org/packages?q=dafny](https://www.nuget.org/packages?q=dafny)):
diff --git a/v4.10.0/HowToFAQ/FAQOld.md b/v4.10.0/HowToFAQ/FAQOld.md
new file mode 100644
index 0000000..fe17e7d
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQOld.md
@@ -0,0 +1,20 @@
+---
+title: In an invariant, I want to say that once a boolean variable that starts false is set to true, it remains true forever.  Can I use old for this?
+---
+
+## Question
+
+In an invariant, I want to say that once a boolean variable that starts false is set to true, it remains true forever.  Can I use old for this?
+
+## Answer
+
+Almost but not quite. `old` gives you the value of an expression in the method's pre-state or at given label. 
+Equivalently. you can stash the value of an expression at some point in the control flow in some temporary (even ghost) variable.
+Then you can state a predicate saying "if the expression was true at that specific point, then it is still true now when I am testing it".
+
+But that is not quite saying "once an expression becomes true, it stays true".
+For that you need a more complicated solution:
+- declare a ghost variable `nowTrue`, initialized to `false`
+- at every location where the expression (call it `e`) is set, 
+   - first test its new value: `if nowTrue && !e { FAILURE }`
+   - and then set the ghost value `nowTrue := nowTrue || e;`
diff --git a/v4.10.0/HowToFAQ/FAQParallel.md b/v4.10.0/HowToFAQ/FAQParallel.md
new file mode 100644
index 0000000..4f89fcb
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQParallel.md
@@ -0,0 +1,18 @@
+---
+title: Does Dafny verify methods in parallel?
+---
+
+## Question
+
+Does Dafny verify methods in parallel?
+
+## Answer
+
+When used on the command-line, Dafny verifies each method in each module sequentially
+and attempts to prove all the assertions in a method in one go.
+However, you can use the option `/vcsCores` to parallelize some of the activity
+and various options related to _verification condition splitting_ can break up the work
+within a method.
+
+When used in the IDE, the default is concurrent execution of proof attempts.
+
diff --git a/v4.10.0/HowToFAQ/FAQPreconditionLabels.dfy b/v4.10.0/HowToFAQ/FAQPreconditionLabels.dfy
new file mode 100644
index 0000000..81ab33f
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQPreconditionLabels.dfy
@@ -0,0 +1,21 @@
+method M0(x: int)
+  requires x == 0
+{
+  assert x < 10; // verifies
+}
+
+method M1(x: int)
+  requires Zero: x == 0
+{
+  // the following assertion does not verify, because labeled
+  // preconditions are hidden
+  assert x < 10; // error
+}
+
+method M2(x: int)
+  requires Zero: x == 0
+{
+  // by revealing the hidden precondition, the assertion verifies
+  reveal Zero;
+  assert x < 10; // verifies
+}
diff --git a/v4.10.0/HowToFAQ/FAQPreconditionLabels.md b/v4.10.0/HowToFAQ/FAQPreconditionLabels.md
new file mode 100644
index 0000000..44d2fe0
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQPreconditionLabels.md
@@ -0,0 +1,30 @@
+---
+title: How do labels in preconditions work?
+---
+
+## Question
+
+How do labels in preconditions work?
+
+## Answer
+
+```dafny
+{% include_relative FAQPreconditionLabels.dfy %}
+```
+
+In the code example above, the precondition `x == 0` is labeled with `Zero`.
+Unlabeled preconditions are assumed at the beginning of a method body,
+but labeled preconditions are not. Labeled preconditions are only assumed
+when they are explicitly `reveal`ed. So in the example, the assert in method 
+`M1` cannot be proved because the fact `x < 10` is not known. 
+In method `M2`, that fact is made known by the `reveal` statement, and so here
+the `assert` can be proved. The effect of the `reveal` is just as if an assumption were
+made at the point of the `reveal` statement.
+
+Note that if the `reveal` statement is in a `by`
+block of an `assert by` statement, then the revealing is limited to the proof of the 
+corresponding `assert`.
+
+These same rules apply to labeled `assert` statements.
+
+There is an expanded discussion in section 7 of [_Different Styles of Proofs_](http://leino.science/papers/krml276.html).
diff --git a/v4.10.0/HowToFAQ/FAQPreconditionLabels.txt b/v4.10.0/HowToFAQ/FAQPreconditionLabels.txt
new file mode 100644
index 0000000..0e213be
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQPreconditionLabels.txt
@@ -0,0 +1,3 @@
+FAQPreconditionLabels.dfy(12,11): Error: assertion might not hold
+
+Dafny program verifier finished with 2 verified, 1 error
diff --git a/v4.10.0/HowToFAQ/FAQReadFile.md b/v4.10.0/HowToFAQ/FAQReadFile.md
new file mode 100644
index 0000000..cd6b41e
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQReadFile.md
@@ -0,0 +1,13 @@
+---
+title: How do I read a file as a string?
+---
+
+## Question
+
+How do I read a file as a string? 
+
+## Answer
+
+You can't in pure Dafny. Not yet. Such a capability will eventually be part of a standard IO library.
+
+What you can do is to write such a function in another language, say Java, and then use it in Dafny by extern declarations.
diff --git a/v4.10.0/HowToFAQ/FAQReadsClause.dfy b/v4.10.0/HowToFAQ/FAQReadsClause.dfy
new file mode 100644
index 0000000..120ddac
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQReadsClause.dfy
@@ -0,0 +1,7 @@
+// dafny Example.dfy
+class A {
+  var x: string
+}
+
+type AA = a: A | a.x == "" witness * reads a
+
diff --git a/v4.10.0/HowToFAQ/FAQReadsClause.md b/v4.10.0/HowToFAQ/FAQReadsClause.md
new file mode 100644
index 0000000..e3a7071
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQReadsClause.md
@@ -0,0 +1,56 @@
+---
+title: Where do I put the reads clause in a subset type?
+---
+
+## Question:
+
+This example
+```dafny
+{% include_relative FAQReadsClause.dfy %}
+```
+generates this error:
+```text
+{% include_relative FAQReadsClause.txt %}
+```
+but there is no obvious place to put a `reads` clause.
+
+## Answer:
+
+There is no place for the `reads` clause because no such clause should be needed.
+A type definition is not allowed to depend on a mutable field;
+the predicate in the subset type must be pure.
+
+The general idiom is to add a predicate, often named `Valid()`, to a class that
+reads its fields and returns `true` if the class members are appropriately consistent. 
+Then call `Valid()` in the pre- and post-conditions of methods and in
+preconditions of functions and predicates. Here is an example:
+
+```dafny
+class A {
+  var x: string
+  var y: string
+  predicate Valid() reads this {
+    |x| == |y|
+  }
+}
+
+method Test(a: A)
+  requires a.Valid()
+  requires a.x == ""
+  modifies a
+  ensures a.Valid()
+{
+  assert a.Valid(); // That's correct thanks to the precondition.
+  a.x := "abc"; // Because |a.y| == 0, we broke the Valid() predicate
+  assert !a.Valid(); // But that's ok.
+  a.y := "bca";
+  assert a.Valid(); // Now Dafny can prove this
+  // The postcondition holds
+}
+```
+
+The [`{:autocontracts}`]({../DafnyRef/DafnyRef#sec-attributes-autocontracts}) attribute can be helpful here.
+
+Note that the idiom using `Valid()` above is similar to the use of class invariants in other 
+specification languages.
+
diff --git a/v4.10.0/HowToFAQ/FAQReadsClause.txt b/v4.10.0/HowToFAQ/FAQReadsClause.txt
new file mode 100644
index 0000000..fbd71ff
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQReadsClause.txt
@@ -0,0 +1,2 @@
+FAQReadsClause.dfy(6,37): Error: this symbol not expected in Dafny
+1 parse errors detected in FAQReadsClause.dfy
diff --git a/v4.10.0/HowToFAQ/FAQRecord.md b/v4.10.0/HowToFAQ/FAQRecord.md
new file mode 100644
index 0000000..9ece75c
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQRecord.md
@@ -0,0 +1,37 @@
+---
+title: How does one define a record?
+---
+
+## Question
+
+How does one define a record?
+
+## Answer
+
+The Dafny `datatype` feature lets you define simple or complex records, including recursive ones.
+
+A simple enumeration record might be defined as
+```dafny
+datatype ABCD = A | B | C | D
+```
+Variables of type `ABCD` can take one of the four given values.
+
+A record might also be a single alternative but with data values:
+```dafny
+datatype Date = Date(year: int, month: int, day: int)
+```
+where a record instance can be created like `var d := Date(2022, 8, 23)` and componenents retrieved like `d.year`.
+
+There can be multiple record alternatives each holding different data:
+```dafny
+datatype ABCD = A(i: int) | B(s: string) | C(r: real) | D
+const a: ABCD := A(7)
+const b: ABCD := B("asd")
+const c: ABCD := C(0.0)
+const d: ABCD := D
+```
+
+You can determine which alternative a record value is with the built-in test functions: with the definitions above, `a.A?` is true and `b.C?` is false. And you can extract the record alternative's
+data: in the above `a.i` is well-defined if `a.A?` is true, in which case it has the value `7`.
+
+There is more description of datatypes [here](../DafnyRef/DafnyRef#sec-algebraic-datatype).
diff --git a/v4.10.0/HowToFAQ/FAQRecursiveCalls.md b/v4.10.0/HowToFAQ/FAQRecursiveCalls.md
new file mode 100644
index 0000000..955fef4
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQRecursiveCalls.md
@@ -0,0 +1,36 @@
+---
+title: Are there functional alternatives to recursive calls that are more efficient or use less stack space?
+---
+
+## Question
+
+Are there functional alternatives to recursive calls that are more efficient or use less stack space?
+
+## Answer
+
+One way to reduce the number of recursive calls is to use Dafny's function-by-method construct to give a better performing implementation.
+For example
+```dafny
+function Fib(n: nat): nat {
+  if n < 2 then n else Fib(n-1) + Fib(n-2)
+}
+```
+it a very natural but quite inefficient implementation of the Fibonacci function (it takes `Fib(n)` calls of `Fib` to compute `Fib(n)`, though only to a stack depth of `n`).
+
+With function-by-method we can still use the natural recursive expression as the definition but provide a better performing implementation:
+```dafny
+function Fib(n: nat): nat
+ {
+  if n < 2 then n else Fib(n-1) + Fib(n-2)
+} by method {
+  var x := 0;
+  var y := 1;
+  for i := 0 to n 
+    invariant x == Fib(i) && y == Fib(i+1)
+  {
+    x, y := y, x+y;
+  }
+  return x;
+}
+```
+This implementation both combines the two computations of Fib and also, more importantly, turns a tail recursive recursion into a loop.
diff --git a/v4.10.0/HowToFAQ/FAQRecursiveTermination.md b/v4.10.0/HowToFAQ/FAQRecursiveTermination.md
new file mode 100644
index 0000000..45b050e
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQRecursiveTermination.md
@@ -0,0 +1,47 @@
+---
+title: Is there a simple way to prove the termination of a recursive function?
+---
+
+## Question
+
+Is there a simple way to prove the termination of a recursive function?
+
+Here is an example function:
+```dafny
+datatype Dummy = State1 | State2
+
+function WalkState(str: string, s: Dummy): string {
+  if str == [] then []
+  else if s.State1? then WalkState(str[1..], Dummy.State2)
+  else WalkState(str, Dummy.State1)
+}
+```
+
+## Answer
+
+In general, to prove termination of any recursive structure, one needs to declare a 
+([well-founded](../DafnyRef/DafnyRef#sec-well-founded-orders)) measure that decreases on each iteration or recursive invocation;
+because a well-founded measure has no infinitely decreasing sequences, the recursion must eventually terminate.
+In many cases, Dafny will deduce a satisfactory (provable) measure to apply by default.
+But where it cannot, the user must supply such a measure. A user-supplied measure is 
+declared in a `decreases` clause. Such a measure is a sequence of expressions, ordered lexicographically by the
+termination metric for each data type; the details of the ordering are 
+explained in the [reference manual section on Decreases Clause](../DafnyRef/DafnyRef#sec-decreases-clause).
+
+In the case of this example, the measure must be a combination of the length of the string, 
+which decreases (and is bounded by 0) in the _else if_ branch and the state, 
+creating a measure in which `Dummy.State1` is less than `Dummy.State2` and so decreases in the
+final _else_ branch. So we can write
+```dafny
+datatype Dummy = State1 | State2
+
+function WalkState(str: string, s: Dummy): string 
+  decreases |str|, if s.State2? then 1 else 0
+{
+  if str == [] then []
+  else if s.State1? then WalkState(str[1..], Dummy.State2)
+  else WalkState(str, Dummy.State1)
+}
+```
+which then proves without further user guidance.
+
diff --git a/v4.10.0/HowToFAQ/FAQRedundantCase.md b/v4.10.0/HowToFAQ/FAQRedundantCase.md
new file mode 100644
index 0000000..af12886
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQRedundantCase.md
@@ -0,0 +1,33 @@
+---
+title: I just realized that a function I was compiling had a type error inside a match case.  Instead of giving a compile error I was getting a redundant clause warning for the second case. What is the reason for this?
+---
+
+## Question
+
+I just realized that a function I was compiling had a type-error inside a match case.  Instead of giving a compile error I was getting a redundant clause warning for the second case. What is the reason for this?
+
+## Answer
+
+Here is a situation that can cause this error:
+```dafny
+datatype AB = A | B
+method test(q: AB) {
+  var c := match q { case a => true case b => false };
+}
+```
+The example has an error on the second `case` saying this branch is redundant.
+
+The problem here is that both `a` and `b` are undeclared variables. Consequently they both match
+in match expression `q` no matter what `q`'s value is. Because `a` matches no matter what, 
+the second case is redundant.
+
+What is usually intended by such code is something like this:
+```dafny
+datatype AB = A | B
+method test(q: AB) {
+  var c := match q { case A => true case B => false };
+}
+```
+which causes no type errors.
+
+The observation here is that misspelled type names in case patterns can cause silent unexpected  behavior. It is likely that a lint warning will be produced for the above anti-pattern in some future version of Dafny.
diff --git a/v4.10.0/HowToFAQ/FAQReferences.md b/v4.10.0/HowToFAQ/FAQReferences.md
new file mode 100644
index 0000000..b77978a
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQReferences.md
@@ -0,0 +1,21 @@
+---
+title: A `seq` is an object reference, right?
+---
+
+## Question
+
+A `seq` is an object reference, right?
+
+## Answer
+
+No. Types in Dafny are either heap-dependent (reference) types or strict value-types. Built-in types are typically value types.
+Value types are heap independent, though they may be stored in the heap as part of an object.
+
+Value types include `bool`, `int`, `char`, `real`, `ORDINAL`, datatypes and co-datatypes, arrow types, bit-vector types, `seq`, `set`, `iset`, `multiset`, `map`, `imap`, `string`, tuple types,  and subset or newtypes with value type bases.
+
+Reference types are classes, traits, arrays, and iterators.
+
+The values of value types are immutable; new values may be computed but are not modified. Integers are a good mental
+model for value types, but in Dafny, datatypes, sequences, sets, and maps are also immutable values. 
+Note that though the values of these types are immutable,
+they may contain instances of reference types (which might be mutable).
diff --git a/v4.10.0/HowToFAQ/FAQSeqTrait.md b/v4.10.0/HowToFAQ/FAQSeqTrait.md
new file mode 100644
index 0000000..7cef344
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQSeqTrait.md
@@ -0,0 +1,29 @@
+---
+title: How can I combine sequences of different types?
+---
+
+## Question
+
+How can I combine sequences of different types?
+
+## Answer
+
+It depends on the types. If the different types are subset types of a common base type, you can make a combined list of the base type. Similarly if the two types are classes (or traits) that extend a common trait, then you can combine sequences into a sequence of that trait. And since all classes extend the trait `object`, that can be the common type.
+
+Here is some sample code:
+```dafny
+trait T {}
+class A extends T {}
+class B extends T {}
+
+method m() {
+  var a: A := new A;
+  var sa: seq<A> := [ a ];
+  var b := new B;
+  var sb : seq<B> := [b ];
+  var st : seq<T> := sa + sb;
+  var so : seq<object> := sa + sb;
+}
+```
+
+In fact, Dafny will generally infer a common type for you in the case of sequence concatentation.
diff --git a/v4.10.0/HowToFAQ/FAQSetConstructor.md b/v4.10.0/HowToFAQ/FAQSetConstructor.md
new file mode 100644
index 0000000..7d6df97
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQSetConstructor.md
@@ -0,0 +1,59 @@
+---
+title: "Why does Dafny complain about this use of a set constructor: `set i: int | Contains(i)`?"
+---
+
+## Question
+
+Why does Dafny complain about this use of a set constructor: `set i: int | Contains(i)`?
+Here is an example:
+```dafny
+module test {
+
+  ghost const things: set<int>
+
+  predicate Contains(t: int) 
+  {
+    t in things
+  }
+
+  function ThisIsOk(): set<int> {
+    set i: int | i in things && i > 0
+  }
+
+  function ThisIsNotOk(): set<int> {
+    set i: int | Contains(i) && i > 0
+  }
+
+}
+```
+
+which produces the error "the result of a set comprehension must be finite, but Dafny's heuristics can't figure out how to produce a bounded set of values for 'i'".
+
+## Answer
+
+In constructing a `set`, which must be finite, Dafny must prove that the set is indeed finite.
+When the constructor has `i in things` inlined, Dafny can see that the set of values of `i` for which the predicate is true can be no larger than `things`, which is already known by declaration to be 
+a finite set. However, when the predicate is `Contains`, Dafny cannot in general see that fact.
+The Dafny's heuristic for determining that the constructor is producing a finite set does not
+inspect the body of `Contains` even though that is a transparent function. Note that if the constructor and the return type of `ThisIsNotOK` is made `iset`, Dafny does not complain.
+
+An alternate general way to refine a set is given by this example:
+```dafny
+module test {
+
+  ghost const things: set<int>
+
+  function RefineThings(condition: int -> bool): set<int>
+  {
+    set t: int | t in things && condition(t)
+  }
+
+  function ThisIsOk(): set<int> {
+    set i: int | i in things && i > 0
+  }
+
+  function ThisIsOkAgain(): set<int> {
+    RefineThings(i => i > 0)
+  }
+}
+```
diff --git a/v4.10.0/HowToFAQ/FAQSetToSeq.md b/v4.10.0/HowToFAQ/FAQSetToSeq.md
new file mode 100644
index 0000000..9388fb0
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQSetToSeq.md
@@ -0,0 +1,35 @@
+---
+title: Is there a nice way to turn a `set` into a `seq`?
+---
+
+## Question
+
+Is there a nice way to turn a set into a seq?
+
+## Answer
+
+There is as yet no built-in simple function but there are various idioms that can accomplish this task.
+
+Within a method (where you can use a while loop), try `var acc: seq<int> := []; 
+  while s != {} { var x: int :| x in s; acc := acc + [x]; s := s - {x}; }`
+
+You could use a function-by-method to encapsulate the above in a function.
+
+Here is an extended example taken from  [Dafny Power User: Iterating over a Collection](http://leino.science/papers/krml275.html).
+
+```dafny
+function SetToSequence<A(!new)>(s: set<A>, R: (A, A) -> bool): seq<A>
+  requires IsTotalOrder(R)
+  ensures var q := SetToSequence(s, R);
+    forall i :: 0 <= i < |q| ==> q[i] in s
+{
+  if s == {} then [] else
+    ThereIsAMinimum(s, R);
+    var x :| x in s && forall y :: y in s ==> R(x, y);
+    [x] + SetToSequence(s - {x}, R)
+}
+
+lemma ThereIsAMinimum<A(!new)>(s: set<A>, R: (A, A) -> bool)
+  requires s != {} && IsTotalOrder(R)
+  ensures exists x :: x in s && forall y :: y in s ==> R(x, y)
+```
diff --git a/v4.10.0/HowToFAQ/FAQSplitHere.md b/v4.10.0/HowToFAQ/FAQSplitHere.md
new file mode 100644
index 0000000..9ffdd9c
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQSplitHere.md
@@ -0,0 +1,35 @@
+---
+title: How do `{:split_here}` and `{:focus}` work to divide up a proof?
+---
+
+## Question
+
+How do `{:split_here}` and `{:focus}` work to divide up a proof?
+
+## Answer
+
+Verifying a method requires proving a large number of assertions.
+Dafny uses a backend prover (an SMT solver) to verify assertions. The prover may become better or worse at verifying an assertion if you ask it to also verify another assertion. 
+Dafny allows you to split up a group of assertions into batches, where each batch is sent to the SMT solver separately, so the verification of each batch is not influenced by the others.
+
+
+One default way of operating is to combine all assertions into one batch, leading to a single run of the prover. 
+ However, even when this is more efficient than the combination of proving each
+assertion by itself (with prover start-up costs and the like for each one), it can also take quite a while to give a final result, possibly even timing-out.
+
+So sometimes it is preferable to prove each assertion by itself, using the `-vcsSplitOnEveryAssert` command-line option.
+
+But there are also intermediate options. Look at the various command-line options under "Verification-condition splitting".
+
+Another way to split up the way in which assertions are grouped for proof is to use the two attributes `{:focus}` and `{:split_here}`,
+both of which are applied to assert statements.
+
+In brief, `{:focus}` says to focus on the block in which the attribute appears. Everything in that block is one assertion batch and everything
+outside that block is another assertion batch. It does not matter where in the block the `{:focus}` attribute appears. If there are multiple
+`{:focus}` attributes, each block containing one (or more) is one assertion batch, and everything outside of blocks containing `{:focus}` attributes
+is a final assertion batch. This attibute is usually used to break out if-alternatives or loop-bodies into separate verification attempts.
+
+`{:split_here}` creates an assertion batch of all assertions strictly before the attributed statement and another of the assertions at or after
+the attributed statement. This attribute is usually used to break up long stretches of straight-line code.
+
+Some examples that show how this works for multiple nested blocks are given in the reference manual, [here](../../DafnyRef/DafnyRef#sec-focus) and [here](../../DafnyRef/DafnyRef#sec-split_here).
diff --git a/v4.10.0/HowToFAQ/FAQStandardLibrary.md b/v4.10.0/HowToFAQ/FAQStandardLibrary.md
new file mode 100644
index 0000000..8e9ff43
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQStandardLibrary.md
@@ -0,0 +1,11 @@
+---
+title: Is there a standard library for Dafny?
+---
+
+## Question
+
+Is there a standard library for Dafny?
+
+## Answer
+
+No, but one is planned. Some sample code is at [https://github.com/dafny-lang/libraries](https://github.com/dafny-lang/libraries). Contributions and ideas are welcome.
diff --git a/v4.10.0/HowToFAQ/FAQStringOutput.md b/v4.10.0/HowToFAQ/FAQStringOutput.md
new file mode 100644
index 0000000..2d51c5e
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQStringOutput.md
@@ -0,0 +1,14 @@
+---
+title: How do I format a string?
+---
+
+## Question
+
+How do I format a string?
+
+## Answer
+
+As of version 3.7.3, Dafny has no built-in or library capability to convert values to strings or to format them.
+There is only the `print` statement that emits string representations of values to standard-out.
+
+For now you will need to implement your own methods that convert values to strings, concatenating them to produce formatted strings.
diff --git a/v4.10.0/HowToFAQ/FAQStyle.md b/v4.10.0/HowToFAQ/FAQStyle.md
new file mode 100644
index 0000000..646d6e1
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQStyle.md
@@ -0,0 +1,15 @@
+---
+title: Is there a Dafny style? and a Dafny linter (style checker and bad smell warnings)?
+---
+
+## Question
+
+Is there a Dafny style? and a Dafny linter (style checker and bad smell warnings)?
+
+## Answer
+
+There is a Dafny style guide [here](https://dafny.org/dafny/StyleGuide/Style-Guide).
+
+There is not yet a Dafny lint tool (that is, warnings about technically correct but suspicious or poor-style code),
+though a formatter is underway. Warnings about some matters are included in the Dafny parser. 
+However, ideas for lint warnings are being collected and you are welcome to contribute ideas: suggestions can be made on the [issues list](https://github.com/dafny-lang/dafny/issues).
diff --git a/v4.10.0/HowToFAQ/FAQTermination.md b/v4.10.0/HowToFAQ/FAQTermination.md
new file mode 100644
index 0000000..11a86e4
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQTermination.md
@@ -0,0 +1,35 @@
+---
+title: Is there a way to disable termination checks for recursive predicate definitions that I know to be logically consistent?
+---
+
+## Question
+
+Is there a way to disable termination checks for recursive predicate definitions that I know to be logically consistent?
+
+## Answer
+
+Well, first of all, be careful about thinking things like "I know this to be logically consistent". Verifiers exist to check our human tendency to hand-wave over questionable assumptions.
+
+That said, you can do something like this:
+
+```dafny
+predicate P(x: int, terminationFiction: int)
+  decreases terminationFiction
+{
+  assume 0 < terminationFiction;
+  P(x, terminationFiction - 1)
+}
+```
+
+That may cause some quantification triggering problems and may need an axiom like
+```
+forall x,j,k:int :: P(x, j) == P(x, k)
+```
+
+It can also help to manually instantiate an axiom to avoid triggering issues:
+declare the axiom like this:
+```dafny
+lemma {:axiom} PSynonym(x: int, j: int, k: int)
+  ensures P(x, j) == P(x, k)
+```
+and then call the lemma as needed.
diff --git a/v4.10.0/HowToFAQ/FAQTerminationFalse.md b/v4.10.0/HowToFAQ/FAQTerminationFalse.md
new file mode 100644
index 0000000..d9d2bc7
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQTerminationFalse.md
@@ -0,0 +1,51 @@
+---
+title: What do {:termination false} and @AssumeCrossModuleTermination do? It looks one of them is required if I want to extend traits from other modules.
+---
+
+## Question
+
+What do `{:termination false}` and `@AssumeCrossModuleTermination` do? It looks one of them is required if I want to extend traits from other modules.
+
+## Answer
+
+These attributes allow a class to extend a trait from another module, even though termination checking may then miss cases of non-termination. Here is an example
+```dafny
+module foo1 {
+
+  trait {:termination false} Foo {
+    method bar()
+  }
+
+  class Baz{
+
+    static method boz(foo: Foo){ foo.bar(); }
+
+  }
+}
+module foo2 {
+
+  import opened foo1
+
+  class Boz extends Foo {
+
+    method bar(){
+      Baz.boz(this);
+    }
+  }
+}
+```
+In this example, omitting `{:termination false}` provokes the error "class 'Boz' is in a different module than trait 'foo1.Foo'. A class may only extend a trait in the same module, 
+unless the class is annotated with `@AssumeCrossModuleTermination` or the parent trait is annotated with `{:termination false}`.".
+
+These attributes are only needed when there is dynamic dispatch across module boundaries.
+It does put the onus on the user to prove termiation, as Dafny may successfully verify the program even if some execution paths may never terminate.
+The origin of this situation has to do with the interaction of current decreases clauses and traits.
+
+Dafny decreases clauses were designed before the language had dynamic dispatch via trait members. As such, decreases clauses are made to be as simple as possible within each module, and decreases clauses are unnecessary across modules. When dynamic dispatch was added to the language, a draconian restriction was put in place to maintain soundness, namely to disallow dynamic dispatch across module boundaries. This is enforced by insisting that a class that implements a trait is declared in the same module that declares the trait.
+
+The draconian restriction outlaws the useful case where a trait is placed in a library. 
+The recommended approach is to NOT add `{:termination false}` to the trait,
+but instead expect that any extending classes declared in other modules add `@AssumeCrossModuleTermination`.
+This ensures that users of the library are made aware of this unsoundness and must opt-in to it.
+
+The status of solutions to this problem are discussed [here](https://github.com/dafny-lang/dafny/issues/1588).
diff --git a/v4.10.0/HowToFAQ/FAQThisFrameField.md b/v4.10.0/HowToFAQ/FAQThisFrameField.md
new file mode 100644
index 0000000..22125fd
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQThisFrameField.md
@@ -0,0 +1,23 @@
+---
+title: How do I say 'reads if x then this\`y else this\`z'? Dafny complains about the 'this'.
+---
+
+## Question: 
+
+How do I say 'reads if x then this\`y else this\`z'? Dafny complains about the 'this'.
+
+## Answer:
+
+Here is some sample code that show a workaround.
+
+```dafny
+trait Test {
+  var y: int
+  var z: int
+  function {:opaque} MyFunc(x: bool): int
+    reads (if x then {this} else {})`y, (if x then {} else {this})`z {
+    if x then y else z
+  }
+}
+
+```
\ No newline at end of file
diff --git a/v4.10.0/HowToFAQ/FAQTraitsForDatatypes.md b/v4.10.0/HowToFAQ/FAQTraitsForDatatypes.md
new file mode 100644
index 0000000..56a99c7
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQTraitsForDatatypes.md
@@ -0,0 +1,13 @@
+---
+title: Can datatypes extend traits?
+---
+
+## Question:
+
+I heard a rumor of datatypes extending traits coming in the pipeline. How will that work? Will we be able to use `is` and `as` with such types?
+
+## Answer:
+
+Yes, datatypes extending traits are coming (but not immediately).
+The traits would need to be declared when the datatype is declared; the trait cannot be added later on.
+`is` and `as` are possible.
diff --git a/v4.10.0/HowToFAQ/FAQTriggers.md b/v4.10.0/HowToFAQ/FAQTriggers.md
new file mode 100644
index 0000000..d1b7291
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQTriggers.md
@@ -0,0 +1,25 @@
+---
+title: "What does `forall v :: v in vals ==> false` evaluate to if `vals` is non-empty?"
+---
+
+## Question
+
+What does `forall v :: v in vals ==> false` evaluate to if `vals` is non-empty?
+Should it be false? I’m having some problem proving the last assertion in Dafny.
+
+```dafny
+assert vals != [];
+assert MatchingResult() == (forall v :: v in vals ==> false);
+assert !MatchingResult();
+```
+
+## Answer
+
+The problem here is the trigger on the quantification expression.
+Dafny sees the `forall` quantifier but uses it only when there is a `v in vals` fact in the context for some v (this is what the annotation on the forall in the VSCode IDE means: Selected triggers: {v in vals}).  So until you give it a concrete fact to "trigger" on, it doesn't use your quantifier.
+
+It is not recommended that users insert triggers in their Dafny code. Rather, it is better to reorganize the 
+quantification expressions to make the desired trigger more obvious to the Dafny tool.
+Here are two references that explain triggers in more detail:
+- [A wiki page on triggers](https://github.com/dafny-lang/dafny/wiki/FAQ#how-does-dafny-handle-quantifiers-ive-heard-about-triggers-what-are-those)
+- [Pages 2--4 of this paper](https://pit-claudel.fr/clement/papers/dafny-trigger-selection-CAV16.pdf)
diff --git a/v4.10.0/HowToFAQ/FAQTypeCompare.dfy b/v4.10.0/HowToFAQ/FAQTypeCompare.dfy
new file mode 100644
index 0000000..c396ade
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQTypeCompare.dfy
@@ -0,0 +1,7 @@
+abstract module Mixin1 { type T = int }
+abstract module Mixin2 { type T = int }
+abstract module Mixins1and2 {
+    import M1 : Mixin1
+    import M2 : Mixin2
+    lemma typeConstraint() ensures M1.T == M2.T
+}
diff --git a/v4.10.0/HowToFAQ/FAQTypeCompare.md b/v4.10.0/HowToFAQ/FAQTypeCompare.md
new file mode 100644
index 0000000..7eec439
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQTypeCompare.md
@@ -0,0 +1,16 @@
+---
+title: Is there a way to test that two types are the same?
+---
+
+## Question
+
+Is there a way to test that two types are the same, as in this exmple:
+```
+{% include_relative FAQTypeCompare.dfy %}
+```
+
+## Answer
+
+No. Types are not first-class entities in Dafny. There are no variables or literals of a type `TYPE`.
+There is a type test for reference types, namely `is`, but that is not a strict type equality but a
+test that the dynamic type of a reference object is the same as or derived from some named type.
diff --git a/v4.10.0/HowToFAQ/FAQTypeInference.md b/v4.10.0/HowToFAQ/FAQTypeInference.md
new file mode 100644
index 0000000..737b30f
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQTypeInference.md
@@ -0,0 +1,31 @@
+---
+title: I can define a trait with some type parameters say trait Test<A, B, C>. When I use this trait is there a way to get Dafny to infer these types for me?
+---
+
+## Question
+
+I can define a trait with some type parameters say trait `Test<A, B, C>`. When I use this trait is there a way to get Dafny to infer these types for me?
+
+## Answer
+
+Type inference, though quite extensive in its effect, only works within the bodies of functions and methods.
+Types in signatures and actual values for type parameters need to be written explicitly.
+
+When type inference is used (within a body), types are determined by how they are used, not just be initializing
+expressions. So the inferred type in a declaration may depend on code that appears textually after the declaration.
+Here is some example code:
+```dafny
+class C<X(0)> {
+  static method M() returns (x: X) {
+  }
+
+  method P() {
+    var x0 := M();        // type of x0 inferred to be X, from M()'s signature
+    var x1 := C<int>.M(); // type of x1 inferred to be int
+    var x2: int := C.M(); // M() instantiated with int
+
+    var x3 := C.M();      // error: type of x3 is underspecified
+    var x4: int := M();   // error: M() instantiated with X, but x4 has type int
+  }
+}
+```
diff --git a/v4.10.0/HowToFAQ/FAQTypeParameterRestriction.md b/v4.10.0/HowToFAQ/FAQTypeParameterRestriction.md
new file mode 100644
index 0000000..95bb96b
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQTypeParameterRestriction.md
@@ -0,0 +1,17 @@
+---
+title: Is it possible to restrict a type parameter to be a reference type? I see you can use T(!new) but I’m looking for the opposite.
+---
+
+## Question
+
+Is it possible to restrict a type parameter to be a reference type? I see you can use `T(!new)` but I’m looking for the opposite.
+
+## Answer
+
+No. The only restrictions available (as of version 3.7.3) are
+- `T(==)` - type supports equality
+- `T(0)` - type is auto-initializable
+- `T(00)` - type is non-empty
+- `T(!new)` - type may **not** be a reference type or contain a reference type
+
+See the [appropriate section of the reference manual](../DafnyRef/DafnyRef#sec-type-parameter-variance) for more information.
diff --git a/v4.10.0/HowToFAQ/FAQTypeReasoning.md b/v4.10.0/HowToFAQ/FAQTypeReasoning.md
new file mode 100644
index 0000000..5d04c75
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQTypeReasoning.md
@@ -0,0 +1,23 @@
+---
+title: Can it be proved that a class instance is not an instance of a trait?
+---
+
+## Question
+
+Can it be proved that a class instance is not an instance of a trait, as in the following example?
+```dafny
+trait A<T> {}
+
+class B {}
+
+lemma Foo(v: object)
+  ensures v is B ==> !(v is A<object>)
+{}
+```
+
+## Answer
+
+No. Although the lemma is valid and may be stated as an axiom, Dafny does not internally model
+the type hierarchy and so does not have the information to prove that statement.
+Such an axiom would have to be manually checked against the type hierarchy if the definitions of 
+the types involved were to change.
diff --git a/v4.10.0/HowToFAQ/FAQUpdateArrayField.md b/v4.10.0/HowToFAQ/FAQUpdateArrayField.md
new file mode 100644
index 0000000..4f7cc46
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQUpdateArrayField.md
@@ -0,0 +1,65 @@
+---
+title: How do I tell Dafny that a class field may be updated?
+---
+
+## Question
+
+I get a "call might violate context's modifies clause" in the following context.
+I have a field in a class that is is an array whose elements are being modified by a call, but the field does not exist when the enclosing method
+is called. So how do I tell Dafny that it can be modified?
+
+Here is an example situation:
+```dafny
+class WrapArray {
+  var intarray: array<int>; 
+  constructor (i:int) 
+    requires i > 0
+  {
+    this.intarray := new int[i];
+  }
+  method init(i: int)
+    modifies intarray
+  {
+    var index: int := 0;
+    while (index < intarray.Length){
+      intarray[index] := i;
+      index := index+1;
+    }
+  }
+}
+
+method Main()
+{
+  var sh:= new WrapArray(5);
+  sh.init(4);
+}
+```
+
+## Answer
+
+When dafny is asked to verify this, it complains about the call `sh.init` that it modifies objects that
+Main does not allow. Indeed `sh.init` does modify the elements of `sh.intarray` and says so in its `modifies` clause,
+but that array does not even exist, nor is `sh` in scope, in the pre-state of `Main`. 
+So where should it be indicated that `sh.intarray` may be modified?
+
+The key is in the fact that neither `sh` nor `sh.intarray` is allocated in `Main`'s pre-state. `Main` should be allowed 
+to modify objects that are allocated after the pre-state. Indeed `Main` knows that `sh` is newly allocated, so its fields
+may be changed. That is, we are allowed to assign to `sh.intarray`. But here we want to change the state of `sh.intarray`,
+not `sh`. The array is newly allocated, but `Main` does not know this.
+After all, it is possible that the constructor initialized `sh.intarray` with some existing array and changing that array's elements
+would change the state of some other object. We need to tell `Main` that the constructor of `WrapArray` allocates a new 
+array of ints. The syntax to do that is to add a postcondition to the constructor that says `fresh(intarray)`.
+
+Writing the constructor like this
+
+```dafny
+  constructor (i:int)
+    requires i>0
+    ensures fresh(intarray)
+  {
+      this.intarray := new int[i];
+  }
+  
+```
+
+solves the problem.
diff --git a/v4.10.0/HowToFAQ/FAQWitness.md b/v4.10.0/HowToFAQ/FAQWitness.md
new file mode 100644
index 0000000..1fb4c87
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQWitness.md
@@ -0,0 +1,23 @@
+---
+title: Why do I need a witness clause when I define a subset type or newtype?
+---
+
+## Question
+
+Why do I need a witness clause in subtype definitions like
+```
+type A = s: int | Prime(x) witness 13
+```
+
+## Answer
+
+Dafny generally assumes that types are non-empty; the witness is an example value that is in the type, demonstrating that the type is non-empty.
+
+There are defaults for the `witness` clause, so you don't always have to have one. The default value is some zero-equivalent value: `0` for `int` based types, `0.0` for `real`-based types, 
+empty sets, sequence and maps for those base types.
+
+And, it is permitted to have possibly empty types by using a witness clause `witness *`, but there are restrictions on the use of possibly empty types.
+For instance, a declaration of a variable with a possibly-empty type will need an initializer,
+if that variable is ever used, because Dafny requires variables to be 'definitely assigned' before being used.
+
+The Reference Manual contains a [discussion about witness clauses](../DafnyRef/DafnyRef#sec-witness-clauses).
diff --git a/v4.10.0/HowToFAQ/FAQZ3.md b/v4.10.0/HowToFAQ/FAQZ3.md
new file mode 100644
index 0000000..79b0b02
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQZ3.md
@@ -0,0 +1,14 @@
+---
+title: Why do I need to use an old version of Z3?
+---
+
+## Question
+
+Why do I need to keep using an old version of Z3?
+
+## Answer
+
+It is correct that the version of Z3 used by Dafny (through Boogie) is an old version.
+Although the Dafny team would like to upgrade to newer versions of Z3 (to take advantage
+of bug fixes, at a minimum), so far the newer versions of Z3 perform more poorly on
+Dafny-generated SMT for many test cases.
diff --git a/v4.10.0/HowToFAQ/FAQ_GenericType.md b/v4.10.0/HowToFAQ/FAQ_GenericType.md
new file mode 100644
index 0000000..d3948c4
--- /dev/null
+++ b/v4.10.0/HowToFAQ/FAQ_GenericType.md
@@ -0,0 +1,24 @@
+---
+title: Is there a way I can pass a variable with a generic type to a method with a concrete type?
+---
+
+## Question
+
+Is there a way I can pass a variable with a generic type to a method with a concrete type? Here is some motivating code:
+```dafny
+predicate Goo<K, V>(m: map<K, V>)
+  requires m.keyType is string // Can I do something like this?
+{ Foo(m) }
+
+predicate Foo<V>(m: map<string, V>)
+```
+
+## Answer
+
+In short, no.
+
+There are a few problems here. First there is no way to extract the type of the keys of a map as a _type_ value. Dafny does not have the capability to reason about 
+types as first-class entities. In fact the `is` operator takes a value and a type, not two types.
+
+We could try writing the precondition as `requires m.Keys is set<string>`, but that is not permitted either as `m.Keys` is a `set<K>` and is not comparable to `set<string>` with `is`.
+ 
diff --git a/v4.10.0/HowToFAQ/check-errors b/v4.10.0/HowToFAQ/check-errors
new file mode 100644
index 0000000..9ccb43d
--- /dev/null
+++ b/v4.10.0/HowToFAQ/check-errors
@@ -0,0 +1,109 @@
+#! /usr/bin/env bash
+
+# ErrorIds are used in Dafny to connect programmatic calls to emit an error message to the code that provides error information and
+# quick fixes in-app and to the markdown documentation that gives more explanation of the error than is possible in an error message.
+# This script (along with 'check-errors-a') detects inconsistenciees among the various uses of ErrorIds.
+#
+# The design of errorids uses a C# Enum to define the programmatic ids, so that misspellings are caught by the compiler.
+# Second, rather than have one huge file of all the enum constants, they are broken up into categories.  Each category has a different
+# prefix (e.g. p_, ref_, ...) and consists of a different set of files. Even though this makes a different enum type for each category,
+# all the errorids can be handled uniformly as subtypes of 'Enum'.
+# But third, we do not want the, sometimes extensive, error explanation text to have to be placed in the middle of the control flow at every
+# call to emit an error message. So the files contaiing the enums of a given category are placed in *Errors.cs files near their respective code.
+# A Errors-*.md file is part of the documentation error catalog (at https://dafny.org/dafny/HowToFAQ/Errors). It contains a section for each error
+# message: the message (as a heading), Dafny code that elicits the message, and explanatory text.
+# To avoid repeating the error explanations both in code and in md files, the md file is generated from the code and a template file.
+#
+# To take the Parser errors as an example
+#   - Errors related to parsing are contained in Dafny.atg, Parser.frame, Scanner.frame and ProgramParser.cs
+#   - The file ParserErrors.cs contains the definition of an enum with errorids for the 100 or so possible parsing error messages. 
+#     This file can be located near the parsing code,
+#   - Each ParseErrors.ErrorId has a prefix p_, but otherwise is a cryptic English NL statement of the problem.
+#   - ParseErrors.cs also contains 'Add' methods that define the explanatory text and any quick fix.
+#   - Errors-Parser.template is a file that shows the documented error messages and code snippets. The script 'make-error-catalog' does a rudimentary
+#     scan of ParseErrors.cs to extract the error explanations and fill them in the template to create Errors-Parser.md.
+#     This (generated) file is committed to GH so that it is served to the user as GH markdown pages.
+#
+# With ErrorIds used in multiple locations, one needs a means to check that they are consistent. This script does that.
+# For each error category X
+#   - The master list of ErrorIds is the enum definition in XErrors.cs (the ENUM-list)
+#   - The Add methods in XErrors.cs use those enums (the ADD-list)
+#     - The compiler ensures that ADD-list is a subset of ENUM-list
+#     - But anything missing in ADD-list indicates missing documentation (and possible quick fix) in the code
+#   - The error ids used in the source code are extracted by simple scanning into CS-list
+#     - Again, the compiler ensures that CS-list is a subset of ENUM-list
+#     - Any error id in ENUM-list not in CS-list is an unnecssary ErrorId, perhaps come about by refactoring and eliminating code
+#       or renaming error ids or because of an inadequacy in the script).
+#     - In transition, some error messages will use an ErrorId of 'none'. These will not have any documentation and should be
+#       eliminated over time.
+#   - In the markdown file (Errors-X.template and the generated Errors-X.md), each heading contains, as an HTML link, the error id 
+#     (in text). These are collected into the MD-list.
+#      - any ids in ENUM-list and not in MD-list are undocumented errors and should be eliminated over time
+#      - any ids in MD-list and not in ENUM-list correspond to non-existent/obsolete errors and should be removed from *.template.
+#      - the code snippets in the .md file need to actually produce the advertised error with the correct ErrorId.
+#        The check-examples script does this. It is run as part of CI.
+#
+# Not yet completed matters:
+#   - Not all error messages have ErrorIds
+#   - Consequently the signatures in Reporting.cs use a mix of string and Enums
+#   - Not all errors have explanations or quick fixes or code snipppets.
+#   - Not all categories are broken into a .template and .md file, corresponding to cases where there are as yet no or few items
+#     in the ADD-list.
+# 
+# Items to note
+#   - The scripts to extract ids depend on uniform coding style:
+#       - each use of an id is prefaced by 'ErrorId.' with one ErrorId per line
+#       - the enum file has one id per line
+#       - the Add methods are named 'Add' and have a consistent layout
+#   - There is no check that the prefixes of the enum constants are used consistently
+
+# Go to the folder containing this script (expected to be docs/HowToFAQ)
+d=$(dirname ${BASH_SOURCE[0]})
+cd $d
+
+keepTmp=0
+if [ "$1" == "-k" ]; then 
+  keepTmp=1
+fi
+
+# Relative path to source code, for convenience
+D=../../Source/DafnyCore
+
+# Each error category is checked in turn.
+# The arguments to check-errors-a are (1) the md file, (2) the corresponding XErrors file, 
+# (3) a quoted list of the soursce code files that produce the errors.
+
+echo ">>>> PARSER"
+
+./check-errors-a Errors-Parser.md $D/AST/Grammar/ParseErrors.cs "$D/Dafny.atg $D/CoCo/Parser.frame $D/CoCo/Scanner.frame $D/AST/Grammar/ProgramParser.cs"
+
+echo ">>>> GENERIC"
+
+./check-errors-a Errors-Generic.md $D/Generic/GenericErrors.cs "$D/Generic/Util.cs $D/DafnyOptions.cs" 
+
+echo ">>>> COMPILER"
+
+csfiles="$D/Compilers/*.cs $D/Compilers/*/*.cs"
+./check-errors-a Errors-Compiler.md $D/Backends/GeneratorErrors.cs "$csfiles"
+
+echo ">>>> REFINEMENT"
+
+csfiles="$D/Rewriters/RefinementTransformer.cs"
+./check-errors-a Errors-Refinement.md $D/Rewriters/RefinementErrors.cs "$csfiles"
+
+echo ">>>> REWRITER"
+
+## Omit jsut RefinementTransformer.cs as it is large enough to be handled on its own, just above
+csfiles="$D/Rewriters/[A-Q]*.cs $D/Rewriters/[S-Z]*.cs $D/Rewriters/Run*.cs"
+./check-errors-a Errors-Rewriter.md $D/Rewriters/RewriterErrors.cs "$csfiles"
+
+echo ">>>> RESOLUTION"
+
+csfiles="../../Source/DafnyCore/Resolver/ExpressionTester.cs ../../Source/DafnyCore/Resolver/TypeInferenceChecker.cs ../../Source/DafnyCore/Resolver/GhostInterestVisitor.cs"
+./check-errors-a Errors-Resolution.md ../../Source/DafnyCore/Resolver/ResolutionErrors.cs "$csfiles"
+
+if [ "$keepTmp" == "0" ]; then
+  rm -f tmp-ids*
+fi
+exit 0
+
diff --git a/v4.10.0/HowToFAQ/check-errors-a b/v4.10.0/HowToFAQ/check-errors-a
new file mode 100644
index 0000000..7b5b63b
--- /dev/null
+++ b/v4.10.0/HowToFAQ/check-errors-a
@@ -0,0 +1,87 @@
+#! /usr/bin/env bash
+
+## This script checks consistency in ErrorId use between different uses in Dafny source code.
+## It is meant to be called from 'check-errors', which has a top-level description of the intent of these two scrips.
+
+verbose=0
+if [ "$1" == "-v" ]; then
+  verbose=1
+  shift
+fi
+## Extract the CLI arguments
+mdfiles="$1"
+errfiles="$2"
+srcfiles="$3"
+
+## To avoid false alarms because of repeated ErrorIds, use sort -u to remove duplicates
+## But one can use just 'sort' to check for duplicate use, or even just 'cat' to make sure every file has the 
+## ids in the same order (convenient for code review, but difficult to maintain)
+## Put the desired definition last.
+##
+SORT="cat -"
+SORT="sort"
+SORT="sort -u"
+
+## Remove, create empty tmp files
+rm -rf tmp-ids-md tmp-ids-cs tmp-ids-enum tmp-ids-add
+
+## Collect the ids used in the source code files
+rm tmp-ids
+touch tmp-ids 
+for f in $srcfiles ; do
+ ## Use this next line to see if there are uses of error messages that do not use ErrorIds
+ #grep -E 'SemErr|Error[(]|Warning|Deprecated[^C]|DeprecatedStyle' $f | grep -v UnsupportedFeatureError | grep -v ErrorId
+ grep -E 'ErrorId[.]' "$f" | sed -e 's/^.*ErrorId[.]//' -e 's/[, ].*$//' >> tmp-ids
+done
+cat tmp-ids | $SORT > tmp-ids-cs
+
+## Collect the ids from the .md files
+rm tmp-ids
+touch tmp-ids 
+for f in $mdfiles ; do
+  grep -E '^[#][#]' "$f"  | sed -e 's/^.*{#//' -e 's/}//' | sort -u >> tmp-ids
+done
+echo 'ANY HEADING LINES WITHOUT AN ERRORID in THE MD FILE?'
+for f in $mdfiles ; do
+  grep -E '^[#][#]' "$f"  | grep -v -E '[*][*](Error|Warning)'
+done
+cat tmp-ids | $SORT > tmp-ids-md
+
+## Collect the ids from the enum
+rm tmp-ids
+touch tmp-ids 
+for f in $errfiles ; do
+  grep "_" $f | grep -v -E '[{}()]' | sed -E -e 's/^[ \t]*//' -e 's/[,].*$//' | grep -v ' ' | sort -u  >> tmp-ids
+done
+cat tmp-ids | $SORT > tmp-ids-enum
+
+## Collect the ids from the uses of Add
+rm tmp-ids
+touch tmp-ids 
+for f in $errfiles ; do
+  grep "Add" $f | sed -E -e 's/^[ \t]*Add[(]ErrorId[.]//' -e 's/[,].*$//' | sort -u  >> tmp-ids
+done
+cat tmp-ids | $SORT > tmp-ids-add
+
+## Diffs
+echo "COMPARING ENUMS TO THE SOURCE CODE -- any difference usually means unneeded enums"
+diff tmp-ids-enum tmp-ids-cs
+echo 'COMPARING ENUMS TO MD FILE -- any difference is either unneeded or missing documentation (or unneeded enum)'
+if [ -s tmp-ids-enum ]; then
+  diff tmp-ids-enum tmp-ids-md
+else
+  echo "   NO ENUMS IMPLEMENTED"
+fi
+echo "COMPARING ENUMS TO ADD LIST -- any difference is ErrorIds that do not have in-app explanations or quick fixes"
+if [ -s tmp-ids-add ]; then
+  diff tmp-ids-enum tmp-ids-add
+else
+  echo "   NO ADD IMPLEMENTATIONS"
+fi
+
+## List all the TODOs in the given files
+if [ "$verbose" == "1" ]; then
+echo
+echo TODOs
+grep TODO $mdfiles $srcfiles $errfiles
+fi
diff --git a/v4.10.0/HowToFAQ/index.md b/v4.10.0/HowToFAQ/index.md
new file mode 100644
index 0000000..cc47c42
--- /dev/null
+++ b/v4.10.0/HowToFAQ/index.md
@@ -0,0 +1,127 @@
+---
+title: How-to and FAQ Guide for Dafny users
+---
+
+This page is the table of contents for a compendium of mini-lessons on Dafny programming idioms, how to accomplish various programming tasks in Dafny, how to fix error messages,
+answers to FAQs or even just occasionally asked questions, and even information that you may not have asked yet, but you might.
+
+These pages are not intended to be a reference manual or an organized tutorial for Dafny.
+
+If you have questions that are not addressed here, be sure to communicate them to the Dafny team.
+
+[All content on one page](onepage)
+
+# FAQs
+## Dafny language
+
+- ["How do I format a string?"](FAQStringOutput)
+- ["Where do I put the reads clause in a subset type?"](FAQReadsClause)
+- ["Can datatypes extend traits?"](FAQTraitsForDatatypes)
+- ["What is the difference between a type and a newtype?"](FAQNewtype)
+- ["Why can compiled modules contain but not import abstract modules?"](FAQImportAbstractModule)
+- ["Why does Dafny need an obvious assert?"](FAQNeedsAssert)
+- ["Why do I need a witness clause when I define a subset type or newtype?"](FAQWitness)
+- ["Can I access the members of an outer module from its inner module?"](FAQNestedModule)
+- ["What is `-` on bitvectors?"](FAQBVNegation)
+- ["Is there a simple way to prove the termination of a recursive function?"](FAQRecursiveTermination)
+- ["Is there a way to use methods within expressions?"](FAQMethodSequence)
+- ["If I have an assertion about an object (of class type) and a loop that doesn't mention (read, modify) the object, why does dafny fail to establish the assertion after the loop?"](FAQLoopModifies)
+- ["I can assert a condition right before a return, so why does the postcondition fail to verify?](FAQFailingPost)
+- ["How can I combine sequences of different types?"](FAQSeqTrait)
+- ["How do I disambiguate module names?](FAQModuleNames)
+- ["A function seems to work just once. How do I get it to apply a bunch of times?"](FAQFunctionUnroll)
+- ["Why do nested modules not see the imports of their enclosing modules?"](FAQModuleImport)
+- ["Is there a way to test that two types are the same?"](FAQTypeCompare)
+- ["When a lemma has multiple ensures clauses, I’m finding that they interact, when I expected them to be independent.  For example, commenting out one of them can make another one not verify.  How should I think about this?"](FAQMultClauses)
+- ["What is the difference between a lemma and a ghost method?"](FAQGhostMethod)
+- ["In an invariant, I want to say that once a boolean variable that starts false is set to true, it remains true forever.  Can I use old for this?"](FAQOld)
+- ["When proving an iff (<==>), is there a nice way to prove this by proving each side of the implication separately without making 2 different lemmas?"](FAQIff)
+- ["Is there a way to do partial application for functions?"](FAQCurry)
+- ["Why can a ghost const not be used as a witness? Does the compiler need to use the witness as an initial value?"](FAQGhostConstAsWitness)
+- ["How do I use forall statements and expressions in a lemma?"](FAQForall)
+- ["Is there any difference between a method without a modifies clause and a function method with a reads this clause?  I know that the latter you can use in expressions, but otherwise.  Is there anything the former can do that the latter can’t, for example?"](FAQFunctionMethod)
+- ["Dafny doesn’t like when a type and a module have the same name. How can I fix this?"](FAQNameConflict)
+- ["Is there a way to prevent 'Warning: note, this forall statement has no body' from occurring? I have a forall loop with no body that results in the lemma verifying, but if I add a body (even an empty body) the lemma doesn't verify."](FAQNoBody)
+- ["Is there a way to disable termination checks for recursive predicate definitions that I know to be logically consistent?"](FAQTermination)
+- ["Is there a way to specify that all fields of an object, except a given one, don’t change?"](FAQModifiesOne)
+- ["How do labels in preconditions work?"](FAQPreconditionLabels)
+- ["Where are attributes documented?"](FAQAttribute)
+- ["Is there a way to ask Dafny to die on its first verification failure?"](FAQDie)
+- ["I can define a trait with some type parameters say trait `Test<A, B, C>`. When I use this trait is there a way to get Dafny to infer these types for me?"](FAQTypeInference)
+- ["Does Dafny have monadic error handling?"](FAQMonadic)
+- ["What is the `:-` operator?"](FAQElephant)
+- ["How does `:-` work? I'm getting an unexpected failure."](FAQElephant)
+- ["What is the meaning of and differences among `->`, `-->`, `~>`?"](FAQFunctionTypes)
+- ["What is the difference between `function`, `method`, `function method`, and `function by method`?"](FAQFunctionMethodDiffs)
+- ["Is it possible to restrict a type parameter to be a reference type? I see you can use T(!new) but I’m looking for the opposite."](FAQTypeParameterRestriction)
+- ["A `seq` is an object reference, right?"](FAQReferences)
+- ["How do I pattern match against a head and tail of a sequence or against a set?"](FAQMatchOnSet)
+- ["How do I create a new empty map (or set or sequence)?"](FAQMepSetSeq)
+- ["I have a module that exports a bunch of things. In another module I only need to use 1 thing. Is there a way to import only the thing that I want?"](FAQImportOneThing)
+- ["What is the difference between `modifies this`, `modifies this.x`, and ``modifies this`x``?](FAQModifiesThis)
+- ["How does one define a record?"](FAQRecord)
+- ["What does `forall v :: v in vals ==> false` evaluate to if vals is non-empty?"](FAQTriggers)
+- ["Why does Dafny complain about this use of a set constructor: `set i: int | Contains(i)`?"](FAQSetConstructor)
+- ["What's the syntax for paths in include directives? How do they get resolved?"](FAQIncludes)
+- ["How do `{:split_here}` and `{:focus}` work to divide up a proof?"](FAQSplitHere)
+- ["How does one declare a type to have a default initial value, say a type tagged with {:extern}?'](FAQDefaultInitialValue)
+- ["A module A has names from an `import opened` or another module B, but if C imports A, it does not get those names. Please explain."](FAQImportOpened)
+- ["Are there functional alternatives to recursive calls that are more efficient or use less stack space?"](FAQRecursiveCalls)
+- ["How do I read a file as a string?"](FAQReadFile)
+- ["Can I ask dafny to not check termination of a function?"](FAQNoTermCheck)
+- ["What do {:termination false} and @AssumeCrossModuleTermination do? It looks one of them is required if I want to extend traits from other modules."](FAQTerminationFalse)
+- ["How do I make Dafny termination checking happy with this pattern of mutual recursion?"](FAQMutualRecursion)
+- ["Can it be proved that a class instance is not an instance of a trait?"](FAQTypeReasoning)
+- ["Is there a nice way to turn a set into a seq?"](FAQSetToSeq)
+- ["How do I declare a default value for a parameter of a method or function?"](FAQDefaultParameter)
+- ["I just realized that a function I was compiling had a type-error inside a match case.  Instead of giving a compile error I was getting a redundant clause warning for the second case. What is the reason for this?"](FAQRedundantCase)
+- ["Is there a way I can pass a variable with a generic type to a method with a concrete type?"](FAQ_GenericType)
+- ["How can ghost code call methods with side effects?"](FAQGhostSideEffects)
+- ["How do I create and use an iterator?](FAQIterator)
+- ["Can classes appear in specs?"](FAQClassInSpec)
+- ["How do I write specifications for a lambda expression in a sequence constructor?"](FAQLambdaSpecifications)
+- ["I have a lemma and later an assert stating the postcondition of the lemma, but it fails to prove. Why and how do I fix it?"](FAQMapExtensionality)
+- ["Why can't I write `forall t: Test :: t.i == 1` for an object t?"](FAQForallTricks)
+- ["How do I say 'reads if x then this\`y else this\`z'? Dafny complains about the 'this'."](FAQThisFrameField)
+- ["How do I model extern methods that return objects?"](FAQExternReturnsObject)
+- ["How do I tell Dafny that a class field may be updated?"](FAQUpdateArrayField)
+- ["Why does Dafny not know this obvious property of maps?"](FAQMapMembership)
+- ["I can't prove the equivalence between the method part of a `function by method` and the function itself"](FAQFunctionByMethodProof)
+
+## Dafny tools
+
+- ["Is there a Dafny style? and a Dafny linter (style checker and bad smell warnings)?](FAQStyle)
+- ["Is Dafny available as a library, to be called from other software?](FAQDafnyAsLibrary)
+- ["How do I run boogie manually on the Dafny output?](FAQBoogie)
+- ["Does Dafny verify methods in parallel?"](FAQParallel)
+- ["Is there a doc generator for Dafny?"](FAQDocGenerator)
+- ["How can I improve automation and performance for programs with non-linear arithmetic?"](FAQNonlinearArith)
+- ["It looks like, when compiling to C#, my print statements don't show up if I don't have \n at the end of the string."](FAQNewline)
+- ["Is there a standard library for Dafny?"](FAQStandardLibrary)
+- ["Why do I need to use an old Z3?"](FAQZ3)
+- ["How do I ask a question or file a problem report or make a suggestion about Dafny?"](FAQIssues)
+- ["Any plans to release the language server as a NuGet package? Seems like it’s not part of the Dafny release."](FAQNuget)
+- ["What compiler target languages are in development?"](FAQCompileTargets)
+
+# Errors
+Also see [the error catalog](./Errors) for a complete, searchable list of error messages with explanations.
+
+- ["'z3' cannot be opened because the developer cannot be verified."](ERROR_Z3)
+- ["rbrace expected"](ERROR_Rbrace)
+- ["closeparen expected"](ERROR_CloseParen)
+- ["cannot establish the existence of LHS values that satisfy the such-that predicate"](ERROR_NoLHS)
+- ["type parameter 0 (K) passed to type A must support no references"](ERROR_NoReferenceTypeParameter)
+- ["a modifies-clause expression must denote an object or a set/iset/multiset/seq of objects (instead got map<int, A>)"](ERROR_ModifiesValue)
+- ["name of datatype (String) is used as a function"](ERROR_DataTypeName)
+- ["possible violation of function precondition for op(v)"](ERROR_FunctionPrecondition)
+- ["type ? does not have a member IsFailure"](ERROR_IsFailure)
+- ["value does not satisfy subset constraints of ?"](ERROR_Covariance)
+- ["function precondition might not hold"](ERROR_SeqComp)
+- ["insufficient reads clause to invoke function"](ERROR_InsufficientReads)
+- ["Cannot export mutable field 'x' without revealing its enclosing class 'A'"](ERROR_MutableField)
+- ["this symbol not expected in Dafny"](ERROR_PostconditionLemma)
+- [Prover error: Unexpected prover response (getting info about 'unknown' response): (:reason-unknown "Overflow encountered when expanding old_vector")](ERROR_ProverError1)
+- ["Duplicate name of import: ..."](ERROR_DuplicateImportName)
+- ["Warning: /!\ No terms found to trigger on."](ERROR_NoTriggers)
+- ["Error: value does not satisfy the subset constraints of '(seq\<uint8>, Materials.EncryptedDataKey) -> seq\<uint8>' (possible cause: it may be partial or have read effects)"](ERROR_SubsetConstraints)
+
diff --git a/v4.10.0/HowToFAQ/make-error-catalog b/v4.10.0/HowToFAQ/make-error-catalog
new file mode 100644
index 0000000..f81d1e2
--- /dev/null
+++ b/v4.10.0/HowToFAQ/make-error-catalog
@@ -0,0 +1,20 @@
+#! /usr/bin/env bash
+dir=$(dirname "${BASH_SOURCE[0]}")
+cd "$dir"
+
+FAIL=0
+../../Scripts/dafny documentation Errors-Compiler.template
+if [ "$?" != "0" ] ; then echo "Java build-run failed"; exit 1; fi
+
+diff Errors-Compiler.tmp Errors-Compiler.md || \
+   { echo "Errors-Compiler.md has been altered -- check and commit the edits"; FAIL=1; }
+
+../../Scripts/dafny documentation Errors-Parser.template
+if [ "$?" != "0" ] ; then echo "Java build-run failed"; exit 1; fi
+
+diff Errors-Parser.tmp Errors-Parser.md || \
+   { echo "Errors-Parser.md has been altered -- check and commit the edits"; FAIL=1; }
+
+if [ "$FAIL" != "0" ]; then echo FAILURE; exit 1; fi
+
+
diff --git a/v4.10.0/HowToFAQ/make-onepage b/v4.10.0/HowToFAQ/make-onepage
new file mode 100644
index 0000000..b25b7c1
--- /dev/null
+++ b/v4.10.0/HowToFAQ/make-onepage
@@ -0,0 +1,15 @@
+#! /usr/bin/env bash
+
+## This script concatenates all the linked files in index.md, in the order
+## that they appear, with edits to make it a single markdown page
+
+D=$(dirname "${BASH_SOURCE[0]}")
+cd "$D"
+
+echo '---' > tmp
+echo 'title: How-to and FAQ Guide for Dafny users (one page)' >> tmp
+echo '---' >> tmp
+
+cat `cat index.md | grep -e '- \[' | sed -e 's/-.*[(]//' -e 's/[)]/.md/'` | sed -e 's/---//' -e 's/title:/#/' | cat tmp - > onepage.md
+
+rm tmp
diff --git a/v4.10.0/HowToFAQ/onepage.md b/v4.10.0/HowToFAQ/onepage.md
new file mode 100644
index 0000000..86e6fe6
--- /dev/null
+++ b/v4.10.0/HowToFAQ/onepage.md
@@ -0,0 +1,3021 @@
+---
+title: How-to and FAQ Guide for Dafny users (one page)
+---
+
+# How do I format a string?
+
+
+## Question
+
+How do I format a string?
+
+## Answer
+
+As of version 3.7.3, Dafny has no built-in or library capability to convert values to strings or to format them.
+There is only the `print` statement that emits string representations of values to standard-out.
+
+For now you will need to implement your own methods that convert values to strings, concatenating them to produce formatted strings.
+
+# Where do I put the reads clause in a subset type?
+
+
+## Question:
+
+This example
+```dafny
+{% include_relative FAQReadsClause.dfy %}
+```
+generates this error:
+```text
+{% include_relative FAQReadsClause.txt %}
+```
+but there is no obvious place to put a `reads` clause.
+
+## Answer:
+
+There is no place for the `reads` clause because no such clause should be needed.
+A type definition is not allowed to depend on a mutable field;
+the predicate in the subset type must be pure.
+
+The general idiom is to add a predicate, often named `Valid()`, to a class that
+reads its fields and returns `true` if the class members are appropriately consistent. 
+Then call `Valid()` in the pre- and post-conditions of methods and in
+preconditions of functions and predicates. Here is an example:
+
+```dafny
+class A {
+  var x: string
+  var y: string
+  predicate Valid() reads this {
+    |x| == |y|
+  }
+}
+
+method Test(a: A)
+  requires a.Valid()
+  requires a.x == ""
+  modifies a
+  ensures a.Valid()
+{
+  assert a.Valid(); // That's correct thanks to the precondition.
+  a.x := "abc"; // Because |a.y| == 0, we broke the Valid() predicate
+  assert !a.Valid(); // But that's ok.
+  a.y := "bca";
+  assert a.Valid(); // Now Dafny can prove this
+  // The postcondition holds
+}
+```
+
+The [`{:autocontracts}`]({../DafnyRef/DafnyRef#sec-attributes-autocontracts}) attribute can be helpful here.
+
+Note that the idiom using `Valid()` above is similar to the use of class invariants in other 
+specification languages.
+
+
+# Can datatypes extend traits?
+
+
+## Question:
+
+I heard a rumor of datatypes extending traits coming in the pipeline. How will that work? Will we be able to use `is` and `as` with such types?
+
+## Answer:
+
+Yes, datatypes extending traits are coming (but not immediately).
+The traits would need to be declared when the datatype is declared; the trait cannot be added later on.
+`is` and `as` are possible.
+
+# What is the difference between a type and a newtype?
+
+## Question
+
+One can define a _subset type_ like this
+```
+type int8 = x: int | -128 <= x < 128
+```
+and a newtype like this
+```
+newtype nint8 = x | -128 <= x < 128
+```
+
+What is the difference?
+
+## Answer
+
+In both cases, the values in the type are limited to the given range,
+but a _newtype_ intends to define a whole new type that, although still based on integers and allowing integer operations,
+is not intended to be mixed with integers.
+
+This is evident in the allowed conversions, as shown in this example code:
+```
+{% include_relative FAQNewtype.dfy %}
+```
+
+The other important characteristic of `newtype`s is that they may have a different representation in the compilation target language.
+Subset types are always represented in the same way as the base type.  But a newtype may use a different representation.
+For example, the newtype defined above might use a `byte` representation in Java, whereas an `int` is a `BigInteger`.
+The representation of a newtype can be set by the program author using the [`{:nativeType}`](../DafnyRef/DafnyRef#sec-nativetype) attribute.
+
+# Why can compiled modules contain but not import abstract modules?
+
+
+## Question
+
+Why can compiled modules contain but not import abstract modules?
+
+## Answer
+
+The question refers to code like this:
+```dafny
+abstract module J {}
+
+module K {
+  abstract module JJ {}
+  import J // ERROR
+}
+```
+It is indeed the case that the abstract module `JJ` can be declared in non-abstract module `K` but the abstract module `J` is not permitted to be imported.
+This discrepancy is the subject of a proposed change to Dafny rules (cf. [issue #2635](https://github.com/dafny-lang/dafny/issues/2635)).
+
+In either cases, however, there are limits on what can be done with an abstract submodule.
+It is first of all not compiled as part of the enclosing module. Thus it can only be used as the subject of refinement.
+
+That feature is described in the remainder of this FAQ.
+
+The enclosing module may declare an abstract module A and also a non-abstract module B that refines A.
+A refining module import (`import D : C`) may only occur in an abstract module itself.
+
+Generally speaking, suppose you have an underspecified module that is imported using ':', as in
+```
+abstract module Interface {
+  function addSome(n: nat): nat
+    ensures addSome(n) > n
+}
+abstract module Mod {
+  import A : Interface
+  method m() {
+    assert 6 <= A.addSome(5);
+  }
+}
+```
+Here `A` is abstract because it stands for any concrete module that adheres to the interface declared in `Interface`
+(note that the function `addSome` has no body). Consequently `Mod` must be abstract as well.
+`Interface` is not compilable, but it actually does not need to be declared `abstract`.
+
+Now we can implement a concrete version of `Interface`:
+```
+module Implementation {
+  function addSome(n: nat): nat
+    ensures addSome(n) == n + 1
+  {
+    n + 1
+  }
+}
+```
+
+Then we can implement the concrete module `Mod2` as a refinement of the abstract module `Mod`:
+```
+module Mod2 refines Mod {
+  import A = Implementation
+  ...
+}
+```
+Here the module `Mod.A`, which is an unspecified refinement of `Interface` inside of `Mod`, is refined to be the concrete module
+`Implementation` inside of `Mod2`, which is a refinement of `Mod`.
+
+# Why does Dafny need an obvious assert?
+
+
+## Question:
+
+Why does Dafny need the assert in this example:
+```
+lemma Foo<T>(s: seq<T>, p: seq<T> -> bool)
+  requires p(s[..|s|])
+  ensures p(s)
+{
+  assert s[..|s|] == s;
+}
+```
+
+## Answer
+
+Not all facts about built-in types are built-in to Dafny.
+Some, like this one, need to be asserted or otherwise provided as provable lemmas.
+
+The reason is that trying to provide all seemingly obvious facts is both
+a never-ending chase and, importantly, can lead to trigger loops, proof instabilities, and overall poor performance.
+The importance of having proofs be stable and performance be generally fast outweighs building in all the properties of built-in types that might otherwise be reasonable.
+
+
+# Why do I need a witness clause when I define a subset type or newtype?
+
+
+## Question
+
+Why do I need a witness clause in subtype definitions like
+```
+type A = s: int | Prime(x) witness 13
+```
+
+## Answer
+
+Dafny generally assumes that types are non-empty; the witness is an example value that is in the type, demonstrating that the type is non-empty.
+
+There are defaults for the `witness` clause, so you don't always have to have one. The default value is some zero-equivalent value: `0` for `int` based types, `0.0` for `real`-based types, 
+empty sets, sequence and maps for those base types.
+
+And, it is permitted to have possibly empty types by using a witness clause `witness *`, but there are restrictions on the use of possibly empty types.
+For instance, a declaration of a variable with a possibly-empty type will need an initializer,
+if that variable is ever used, because Dafny requires variables to be 'definitely assigned' before being used.
+
+The Reference Manual contains a [discussion about witness clauses](../DafnyRef/DafnyRef#sec-witness-clauses).
+
+# Can I access the members of an outer module from its inner module?
+
+
+## Question
+
+Can I access the members of an outer module from its inner module?
+```dafny
+{% include_relative FAQNestedModule.dfy %}
+```
+
+## Answer
+
+No. The above example gives the error messages
+```text
+{% include_relative FAQNestedModule.txt %}
+```
+
+From a module you may access your own nested modules.
+You may also access sibling modules and nested modules of sibling modules, but you need to import them.
+That includes sibling modules of a module's own enclosing modules.
+You may not access members of enclosing modules, including members declared at the global level (which are members of an implicit top-level module that includes everything in the program).
+
+In general, there is a dependency order among modules: a module _depends on_ modules whose members it uses.
+A module depends on its own nested modules.
+A program cannot have circular dependencies: a module A cannot use members of module B if B (transitively) depends on A.
+
+```dafny
+module A {
+  module B {
+    const S1 := 10
+  }
+}
+
+const S2 := 21
+const S3 := C.D.A.B.S1 // OK
+
+module C {
+  module D {
+    import A // OK - A is sibling of C
+    import A.B // OK
+    import E // OK - E is sibling of D
+    import E.F // OK
+    // import C // NOT OK - C is enclosing module
+    // import EE = C.E // NOT OK -- can't access enclosing module
+    // const X := S2 // NOT OK -- can't access top-level module
+    const Y := B.S1 // OK - B is imported module
+  }
+  module E {
+    module F {
+    }
+  }
+}
+```
+
+
+# What is `-` on bitvectors?
+
+
+## Question
+
+What is `-` on bitvectors?
+
+## Answer
+
+The `-` operator for bit-vectors is subtraction or unary negation.
+Unary negation, `- b` is equivalent to `0 - b`.
+This is not the same as complement, which is written as `! b`.
+
+For example, the `bv5` value equivalent to the natural number `13` is `01101`.
+- The complement of this value is `10010`, which is `18`.
+- The negation of this value is `10011`, which is `19`.
+
+In 2's complement fixed-bit-width arithmetic, `-x` is `!x + 1`.
+
+# Is there a simple way to prove the termination of a recursive function?
+
+
+## Question
+
+Is there a simple way to prove the termination of a recursive function?
+
+Here is an example function:
+```dafny
+datatype Dummy = State1 | State2
+
+function WalkState(str: string, s: Dummy): string {
+  if str == [] then []
+  else if s.State1? then WalkState(str[1..], Dummy.State2)
+  else WalkState(str, Dummy.State1)
+}
+```
+
+## Answer
+
+In general, to prove termination of any recursive structure, one needs to declare a 
+([well-founded](../DafnyRef/DafnyRef#sec-well-founded-orders)) measure that decreases on each iteration or recursive invocation;
+because a well-founded measure has no infinitely decreasing sequences, the recursion must eventually terminate.
+In many cases, Dafny will deduce a satisfactory (provable) measure to apply by default.
+But where it cannot, the user must supply such a measure. A user-supplied measure is 
+declared in a `decreases` clause. Such a measure is a sequence of expressions, ordered lexicographically by the
+termination metric for each data type; the details of the ordering are 
+explained in the [reference manual section on Decreases Clause](../DafnyRef/DafnyRef#sec-decreases-clause).
+
+In the case of this example, the measure must be a combination of the length of the string, 
+which decreases (and is bounded by 0) in the _else if_ branch and the state, 
+creating a measure in which `Dummy.State1` is less than `Dummy.State2` and so decreases in the
+final _else_ branch. So we can write
+```dafny
+datatype Dummy = State1 | State2
+
+function WalkState(str: string, s: Dummy): string 
+  decreases |str|, if s.State2? then 1 else 0
+{
+  if str == [] then []
+  else if s.State1? then WalkState(str[1..], Dummy.State2)
+  else WalkState(str, Dummy.State1)
+}
+```
+which then proves without further user guidance.
+
+
+# Is there a way to use methods within expressions?
+
+
+## Question
+
+Is there a way to use methods within expressions?
+
+## Answer
+
+No. Dafny distinguishes statements and expressions. Statements are permitted to update variables and fields (that is, have side-effects); expressions are not allowed to do so. In general, methods may have side-effects and so Dafny does not allow methods in expressions.
+So you need to call each method in a statement of its own, using temporary local variables to record the results,
+and then formulate your expression.
+
+If the methods in question do not have side-effects, they can be rewritten as functions or 'function by method'
+and then the syntax decribed above is fine.
+
+# If I have an assertion about an object (of class type) and a loop that doesn't mention (read, modify) the object, why does dafny fail to establish the assertion after the loop?
+
+
+## Question
+
+If I have an assertion about an object and a loop that doesn't mention (read, modify) the class, 
+why does dafny fail to establish the assertion after the loop?
+
+## Answer
+
+The short answer is that you need an appropriate combination of modifies clauses and 
+loop invariants to prove assertions about the end result of a loop.
+
+In Dafny's way of reasoning about a loop (which is typical of verifier systems), 
+the loop invariant is the only thing you can assume at the top of every iteration. 
+In other words, at the top of each loop iteration, it is as if all variables have 
+arbitrary values, with the condition that the loop invariant is satisfied. 
+Sometimes, the word _havoc_ is used to describe this: the verifier havocs all variables, 
+that is, gives all variables arbitrary values, and then assumes the loop invariant.
+
+If that’s all the verifier did, life would be a pain, because you’d have to write a
+loop invariant about all variables in your program, even those that have nothing to do with the loop.
+The verifier actually does better. Instead of havocing all variables, it suffices to havoc 
+the assignment targets within the body of the loop, including anything that might be modified by methods called in the loop body. 
+That is, the verifier uses a simple syntactic scan of the loop body to see which 
+variables may possibly be assigned, and then it havocs only those variables. 
+This saves users from having to write loop invariants about all other variables.
+Only invariants about variables that are modified are needed.
+
+What about the heap? For this purpose, the heap is considered to be one variable. 
+So, the heap is either an assignment target of the loop or it isn’t. 
+This means that if your loop body assigns to anything in the heap, the heap becomes an assignment target. 
+Also, if the loop body allocates another object, that too is a change of the heap, 
+so the heap becomes an assignment target. 
+Furthermore, Dafny’s rule about a method is that a method is allowed to change the 
+state of any object in the method’s modifies clause, 
+and it is also allowed to allocate new objects and to modify their state. 
+Therefore, if your loop body calls a method, then the heap may well become an assignment target.
+
+So, then, does this mean your loop invariant needs to speak about everything in the heap whenever the heap is an assignment target of the loop?
+
+Again, no. Loops in Dafny have `modifies` clauses, just like methods do (and just like for methods, 
+newly allocated objects are implicitly included in those `modifies` clauses). 
+It would be a pain to even have to write `modifies` clauses for every loop, 
+so if a loop does not have an explicit `modifies` clause, Dafny implicitly attaches 
+the `modifies` clause of the enclosing method (or of the enclosing loop, in the case of nested loops). 
+This default behavior turns out to be right in almost all cases in practice, 
+which is why you normally don’t have to think about this issue.
+
+But when it is not, you need to be explicit about the `modifies` clause and the loop invariants. 
+In particular
+- write a `modifies` clause for the loop that includes all objects whose fields might be 
+assigned in the loop body (or listed in the modifies clauses of anything the loop body calls)
+- then write a loop invariant that includes assertions about any variable that is listed in the modifies clause
+or is an assignment target in the loop body. 
+Very typically, the invariant will give a value for each havoced variable showing its relationship to the loop index.
+
+For example, a loop that sets the elements of an array to some initial value might look like this:
+```dafny
+method init(a: array<int>) 
+  modifies a
+  ensures forall j | 0 <= j < a.Length :: a[j] == j
+{
+  var i := 0;
+
+  while i < a.Length
+    modifies a
+    invariant 0 <= i <= a.Length && forall j | 0 <= j < i :: a[j] == j
+  {
+    a[i] := i;
+    i := i + 1;
+  }
+}
+```
+
+Note the following points:
+- The method specifies that it might modify the elements of the array `a`.
+- The loop says that it modifies the same array. 
+In fact that modifies clause could be omitted
+because it would be inherited from the enclosing context.
+- The loop also modifies `i`, but as `i` is a local variable, it need not be listed in the modifies clause.
+- The loop also has an invariant, which has two conjuncts:
+   - One conjunct talks about the local variable `i`. Even though `i` is not in the modifies clause 
+    it is an assignment target, so we need to say what is known about it (prior to the loop test).
+   - The other conjunct talks about the elements of `a`, which depend on `i`, 
+    that is, on how many iterations of the loop have been executed.
+- After the loop, Dafny uses the loop invariant and the negation of the loop guard to conclude `i == a.Length`, and from that and the invariant, Dafny can prove the method's postcondition.
+
+Even when Dafny can infer an appropriate modifies clause, it does not infer loop invariants, so the user always needs to supply those. 
+
+Here is another example:
+```dafny
+class Counter {
+  var n: nat
+}
+
+// print "hello" c.n times and then increment c.n
+method PrintAndIncrement(c: Counter)
+  modifies c
+  ensures c.n == old(c.n) + 1
+{
+  for _ := 0 to c.n
+    // To verify this method, the loop needs one of the following two lines:
+    invariant c.n == old(c.n)
+    modifies {} // empty modifies clause
+  {
+    PrintHello();
+  }
+  c.n := c.n + 1;
+}
+
+method PrintHello() {
+  print "hello\n";
+}
+```
+The for-loop can be specified and the whole method verified in two different ways.
+
+First, suppose we do not include a modifies clause in the loop specifications of the loop.
+Then dafny will use the enclosing modifies clause, which allows changing the
+state of `c`. In order for the method body to know that the loop has not 
+changed `c.n`, the loop needs the invariant `c.n == old(c.n)`.
+
+Alternatively, the loop can specify its own modifies clause,
+`modifies {}`, saying it modifies nothing. Then it follows directly that
+`c.n` does not change in the loop, so no invariant is needed to carry out the proof.
+
+# I can assert a condition right before a return, so why does the postcondition fail to verify?
+
+
+## Question
+
+I can assert a condition right before a return, so why does the postcondition fail to verify?
+
+## Answer
+
+There can be lots of reasons why a postcondition might fail to verify, but if you can prove the same predicate just before a return, 
+a typical reason is that there are other exit paths from the method or function. There might be other `return` statements, but a
+harder to spot exit path is the `:-` let-or-fail assignment.
+Here is a sketch of that kind of problem:
+
+```dafny
+include "library/Wrappers.dfy"
+
+method test(MyClass o) returns (r: Wrappers.Result<int>)
+  modifies o;
+  ensures o.ok == true;
+{
+  o.ok := true;
+  o.data :- MyMethod(o);
+  assert o.ok;
+  return;
+}
+```
+(This example uses the `Result` type from the [standard library](https://github.com/dafny-lang/libraries/blob/master/src/Wrappers.dfy). The `include` directive in the example requires that you have a copy of the standard library in `./library`.)
+
+This method can exit either through the `return` at the end or through the failure return if a failure value is returned
+from `MyMethod`. That return happens before the `assert` that is intended to do a pre-check of the postcondition; depending
+on the action of `MyMethod`, the target predicate may not be always true.
+  
+
+# How can I combine sequences of different types?
+
+
+## Question
+
+How can I combine sequences of different types?
+
+## Answer
+
+It depends on the types. If the different types are subset types of a common base type, you can make a combined list of the base type. Similarly if the two types are classes (or traits) that extend a common trait, then you can combine sequences into a sequence of that trait. And since all classes extend the trait `object`, that can be the common type.
+
+Here is some sample code:
+```dafny
+trait T {}
+class A extends T {}
+class B extends T {}
+
+method m() {
+  var a: A := new A;
+  var sa: seq<A> := [ a ];
+  var b := new B;
+  var sb : seq<B> := [b ];
+  var st : seq<T> := sa + sb;
+  var so : seq<object> := sa + sb;
+}
+```
+
+In fact, Dafny will generally infer a common type for you in the case of sequence concatentation.
+
+# How do I disambiguate module names?
+
+
+## Question
+
+How do I disambiguate module names in an example like this:
+```dafny
+{% include_relative FAQModuleNames0.dfy %}
+```
+
+## Answer
+
+There is no direct syntax to do what is wanted here.
+If you have control of the names, perhaps some renaming or moving the top-level `util` to be a sub-module of another module.
+If this structure cannot be changed, then the following somewhat ugly code is a work-around:
+```dafny
+{% include_relative FAQModuleNames.dfy %}
+```
+
+There is discussion of defining syntax that names the top-level module, which would make an easy way to solve the above problem. See [this issue](https://github.com/dafny-lang/dafny/issues/2493).
+
+# A function seems to work just once. How do I get it to apply a bunch of times?
+
+
+## Question
+
+A function seems to work just once. How do I get it to apply a bunch of times?
+Here is an example:
+```
+{% include_relative FAQFunctionUnroll0.dfy %}
+```
+
+The latter two lemmas will not prove without uncommenting the application of the lemma for one less iteration.
+How can I get this to prove automatically?
+
+## Answer
+
+Function bodies are transparent. That is, when there is a call to a function in Dafny code, the body of the function
+is available for reasoning about the effect of the function. But for recursive functions, it generally only does this once or twice, as that is 
+usually sufficient to form an inductive proof. And always unrolling multiple times can reduce performance.
+
+You can request that Dafny unroll a function multiple times by using the `{:fuel}` attribute.
+The value of the attribute is the number of times the function will be unrolled. This is still a fixed upper limit,
+but it does the trick in this case:
+```
+{% include_relative FAQFunctionUnroll1.dfy %}
+```
+
+A function will also keep unrolling if it has an argument that is a literal and that argument decreases
+on each recursive call. So for this example we can write a helper function that takes a `nat` argument
+and give it a literal value that tells it how much to unroll.
+```
+{% include_relative FAQFunctionUnroll2.dfy %}
+```
+With this solution, the number of unrollings can be set at the call site, rather than in the function definition.
+
+[This paper](https://www.microsoft.com/en-us/research/publication/computing-smt-solver/) gives some technical insight into how recursive functions are handled in situations like these examples.
+
+
+# Why do nested modules not see the imports of their enclosing modules?
+
+
+## Question
+
+Why is my import opened statement not working in the following example:
+```
+{% include_relative FAQModuleImport.dfy %}
+```
+
+## Answer
+
+Although nested modules are nested inside other modules, they should really be thought of as their own module.
+There is no particular benefit to module `A.B` from being nested inside module `A`  none of the declarations of `A` are visible in `B` other than the names of sibling modules of `B`.
+The benefit is to module `A`, for which the nested module `B` is a namespace that can group some related declarations together.
+
+Accordingly, if you want some names from another module to be available within a submodule, you must import that directly in the submodule.
+The example above becomes this:
+```
+{% include_relative FAQModuleImport1.dfy %}
+```
+
+# Is there a way to test that two types are the same?
+
+
+## Question
+
+Is there a way to test that two types are the same, as in this exmple:
+```
+{% include_relative FAQTypeCompare.dfy %}
+```
+
+## Answer
+
+No. Types are not first-class entities in Dafny. There are no variables or literals of a type `TYPE`.
+There is a type test for reference types, namely `is`, but that is not a strict type equality but a
+test that the dynamic type of a reference object is the same as or derived from some named type.
+
+# When a lemma has multiple ensures clauses, I’m finding that they interact, when I expected them to be independent.  For example, commenting out one of them can make another one not verify.  How should I think about this?
+
+
+## Question
+
+When a lemma has multiple ensures clauses, I’m finding that they interact, when I expected them to be independent.  For example, commenting out one of them can make another one not verify.  How should I think about this?
+
+## Answer
+
+Multiple ensures clauses, such as `ensures P ensures Q ensures R` is equivalent to the conjunction, in order, of the ensures predicates: `ensures P && Q && R`.
+The order is important if an earlier predicate is needed to be sure that a later one is well defined. For example,
+if `a` is an `array?`, the two predicates in `ensures a != null ensures a.Length > 0`
+must be in that order because `a.Length` is well-defined only if `a != null`.
+
+In addition, sometimes one ensures clause serves as an intermediate reasoning step for the next one. Without the earlier clause, Dafny can have trouble proving the second one, even though it is valid.
+With the first predicate as an intermediate step, the second is then more easily proved.
+
+This order dependence of postconditions is also the case for preconditions and loop invariants
+
+# What is the difference between a lemma and a ghost method?
+
+
+## Question
+
+What is the difference between a lemma and a ghost method?
+
+## Answer
+
+A `lemma` is a `ghost method` that does not have a `modifies` clause. Lemmas also do not typically return results.
+However, in most places where a lemma is used, it must be declared as a lemma. For example the lemma call that can be part of an expression must call a method that is declared to be a lemma, not a ghost method.
+
+A lemma may also be called as a statement in the body of a method, but here a ghost method is allowed as well, so either can be used.
+
+# In an invariant, I want to say that once a boolean variable that starts false is set to true, it remains true forever.  Can I use old for this?
+
+
+## Question
+
+In an invariant, I want to say that once a boolean variable that starts false is set to true, it remains true forever.  Can I use old for this?
+
+## Answer
+
+Almost but not quite. `old` gives you the value of an expression in the method's pre-state or at given label. 
+Equivalently. you can stash the value of an expression at some point in the control flow in some temporary (even ghost) variable.
+Then you can state a predicate saying "if the expression was true at that specific point, then it is still true now when I am testing it".
+
+But that is not quite saying "once an expression becomes true, it stays true".
+For that you need a more complicated solution:
+- declare a ghost variable `nowTrue`, initialized to `false`
+- at every location where the expression (call it `e`) is set, 
+   - first test its new value: `if nowTrue && !e { FAILURE }`
+   - and then set the ghost value `nowTrue := nowTrue || e;`
+
+# When proving an iff (<==>), is there a nice way to prove this by proving each side of the implication separately without making 2 different lemmas?
+
+
+## Question
+
+When proving an iff (<==>), is there a nice way to prove this by proving each side of the implication separately without making 2 different lemmas?
+
+## Answer
+
+Here are two ways to prove `A <==> B`:
+
+```
+if A {
+  // prove B...
+}
+if B {
+  // prove A...
+}
+```
+Another way is
+```
+calc {
+  A;
+==
+  // ...
+==
+  B;
+}
+```
+
+# Is there a way to do partial application for functions?
+
+
+## Question
+
+Is there a way to do partial application for functions in Dafny?
+
+## Answer
+
+Given
+```
+function f(i: int, j: int): int {...}
+```
+one can create a new partially-evaluated function, say evaluating the first argument at `2`, by writing the lambda expression `k => f(2,k)`.
+But note that this does not do any evaluation, partial or not. It merely defines a new function `f'` of one argument, such at `f'(k)` is `f(2,k)`.
+
+Dafny does not permit the syntax `f(2)` as a shorthand for `k => f(2,k)`.
+
+# Why can a ghost const not be used as a witness? Does the compiler need to use the witness as an initial value?
+
+
+## Question
+
+Why can a ghost const not be used as a witness? Does the compiler need to use the witness as an initial value?
+
+## Answer
+
+A type can be
+- auto-initializing (which means the compiler knows of a value of the type)
+- nonempty (which means there is a value of the type, but the compiler might not know it)
+- possibly empty (neither or the above is true)
+
+To show a type is auto-initializing, you may need to provide a witness clause. The expression given in the witness clause must be compilable.
+To just show a type is nonempty, you can use a ghost witness clause. It takes a ghost expression, so you should be able to use your ghost const here.
+If you don’t care about either, you can say `witness *`, which makes the type be treated as possibly empty.
+
+When declaring generic types, one can use _type characteristics_ to indicate any restrictions on the types that may be substituted for a type parameter.
+For example, writing `class A<T(0)>` says that types substituted fo `T` must be auto-initializing;
+writing `class A<T(00)>` says that such types must be non-empty.
+
+# How do I use `forall` statements and expressions in a lemma?
+
+
+## Question
+
+If I'm trying to prove a lemma in Dafny with a `forall` statement that needs help in the body (`{}`) of the lemma, how do I make an arbitrary variable in the body of the lemma to help prove the `forall` statement?
+
+## Answer
+
+Note that there is a difference between a `forall` expression, which is a universally quantified formula, and a `forall` statement, which is used to establish the truth of a universally quantified formula. To do what you want to do, write:
+```dafny
+lemma MyLemma()
+  ensures forall s :: P(s) ==> Q(s)
+{
+  forall t | P(t)
+    ensures Q(t)
+  {
+    // Here, t is in scope, and P(t) is assumed.
+    // Your task here is to prove Q(t) for this particular t.
+  }
+  // Here, you get to assume "forall t :: P(t) ==> Q(t)"
+}
+```
+
+The `forall` in the ensures is an expression and the `forall` in the body of the lemma is a statement.
+
+This use of the `forall` statement is what logicians call “universal introduction”.
+
+Note the slight difference in syntax between the `forall` expression and `forall` statement.
+Although Dafny tries to make the syntax of these sorts of things as similar as possible between expressions and statements, there are some differences. 
+The following Dafny Power User note may be helpful in understanding the syntax: [Dafny Power User: Statement vs. Expression Syntax](http://leino.science/papers/krml266.html).
+
+# Is there any difference between a method without a modifies clause and a function with a reads this clause?  I know that the latter you can use in expressions, but otherwise, is there anything the former can do that the latter can’t, for example?
+
+
+## Question
+
+Is there any difference between a method without a `modifies` clause and a function method with a `reads this` clause?  I know that the latter you can use in expressions.  Is there anything the former can do that the latter can’t, for example?
+
+## Answer
+
+Compared to a function, a method can
+- allocate objects and arrays (`new`)
+- use non-determinism
+- use loops
+- have multiple outputs
+- read anything in the heap
+
+# Dafny doesn’t like when a type and a module have the same name. How can I fix this?
+
+
+## Question
+
+Dafny doesn’t like when a type and a module have the same name. How can I fix this?
+```
+{% include_relative FAQNameConflict.dfy %}
+```
+produces
+```
+{% include_relative FAQNameConflict.txt %}
+```
+
+## Answer
+
+The problem is that in the `Test` module, the name `Result` is both a module name and a datatype name.
+The module name takes precedence and so the resolution error happens.
+(Despite the error message, modules never have type arguments.)
+
+This situation can be fixed two ways. First, write `Result.Result` to mean the datatype. Or second, 
+import the module with a new name, such as `import opened R = Result`. Then inside module Test, there is
+the name `R` for a module and the name `Result` for the datatype. The following code shows both these options.
+```
+{% include_relative FAQNameConflict1.dfy %}
+```
+
+# "Is there a way to prevent 'Warning: note, this forall statement has no body' from occurring? I have a forall loop with no body that results in the lemma verifying, but if I add a body (even an empty body) the lemma doesn't verify."
+
+
+## Question
+
+Is there a way to prevent "Warning: note, this forall statement has no body" from occurring? I have a forall loop with no body that results in the lemma verifying, but if I add a body (even an empty body) the lemma doesn't verify.
+
+## Answer
+
+The Dafny verifier allows you to omit the body of various constructs. For example, if you write a method without a body, the verifier will gladly check calls to the method against that specification (after checking the well-formedness of the method specification). This is nice, because it lets you write the specification of a method and then start using it in other places, only to later return to filling in the body of the method.
+
+The verifier is happy with such a body-less thing, but the once verification is done and you’re asking Dafny to compile your program, the compiler will complain, because it doesn’t know how to synthesize code for the method specification you wrote.
+
+You can also do this with loops. For example, you can write
+```dafny
+while i < N
+  invariant s == i * (i + 1) / 2
+```
+and not give a body. Again, the verifier is happy and will gladly check the rest of the code that follows the loop. This allows you to write down the loop invariant and make sure that the code after the loop is fine, only to later return to filling in the loop body.
+
+If you leave off the body of a loop, Dafny will gently remind you of this by giving a warning like “this loop statement has no body”.
+
+The forall statement is an aggregate statement. It simultaneously performs something for all values of the bound variables. In proofs, the forall statement is used as the counterpart of what logicians call “universal introduction”. In code, the forall statement has various restrictions, and is typically used to initialize all elements of an array.
+The forall statement can also be declared without a body. Again, the verifier is happy to reason about its use, but the compiler would complain that there’s no body.
+
+So, in the end, you do need to prove a body for your forall statements. You’ll have to make sure the body establishes the postcondition of the forall statement.
+
+And even for functions and lemmas without bodies, even though the verify does not complain, they are unproved assumptions in your program.
+
+# Is there a way to disable termination checks for recursive predicate definitions that I know to be logically consistent?
+
+
+## Question
+
+Is there a way to disable termination checks for recursive predicate definitions that I know to be logically consistent?
+
+## Answer
+
+Well, first of all, be careful about thinking things like "I know this to be logically consistent". Verifiers exist to check our human tendency to hand-wave over questionable assumptions.
+
+That said, you can do something like this:
+
+```dafny
+predicate P(x: int, terminationFiction: int)
+  decreases terminationFiction
+{
+  assume 0 < terminationFiction;
+  P(x, terminationFiction - 1)
+}
+```
+
+That may cause some quantification triggering problems and may need an axiom like
+```
+forall x,j,k:int :: P(x, j) == P(x, k)
+```
+
+It can also help to manually instantiate an axiom to avoid triggering issues:
+declare the axiom like this:
+```dafny
+lemma {:axiom} PSynonym(x: int, j: int, k: int)
+  ensures P(x, j) == P(x, k)
+```
+and then call the lemma as needed.
+
+# Is there a way to specify that all fields of an object, except a given one, don’t change?
+
+
+## Question
+
+Is there a way to specify that all fields of an object, except a given one, don’t change?
+
+## Answer
+
+Instead of writing `modifies this` or `modifies o`, you can write ``modifies this`f`` (equivalently ``modifies `f``)
+or ``modifies o`f``
+to indicate that just the field `f` of `this` or `o`, respectively, may be assigned to.
+
+# How do labels in preconditions work?
+
+
+## Question
+
+How do labels in preconditions work?
+
+## Answer
+
+```dafny
+{% include_relative FAQPreconditionLabels.dfy %}
+```
+
+In the code example above, the precondition `x == 0` is labeled with `Zero`.
+Unlabeled preconditions are assumed at the beginning of a method body,
+but labeled preconditions are not. Labeled preconditions are only assumed
+when they are explicitly `reveal`ed. So in the example, the assert in method 
+`M1` cannot be proved because the fact `x < 10` is not known. 
+In method `M2`, that fact is made known by the `reveal` statement, and so here
+the `assert` can be proved. The effect of the `reveal` is just as if an assumption were
+made at the point of the `reveal` statement.
+
+Note that if the `reveal` statement is in a `by`
+block of an `assert by` statement, then the revealing is limited to the proof of the 
+corresponding `assert`.
+
+These same rules apply to labeled `assert` statements.
+
+There is an expanded discussion in section 7 of [_Different Styles of Proofs_](http://leino.science/papers/krml276.html).
+
+# Where are attributes documented?
+
+
+## Question
+
+Where are attributes documented? Why does my attribute not seem to make a difference?
+
+## Answer
+
+In general, attributes are documented in a chapter of the [reference manual](../DafnyRef/DafnyRef#sec-attributes); some are also documented in the sections in which the language feature for which they are relevant is described.
+However, at present not all of them are documented.
+
+Some projects with forks of Dafny may introduce attributes of their own.
+Keep in mind, that any attributes not recognized by Dafny are silently ignored, to allow for such extension.
+
+# Is there a way to ask Dafny to die on its first verification failure?
+
+
+## Question
+
+Is there a way to ask Dafny to die on its first verification failure?
+
+## Answer
+
+No. At least as of version 3.7.3.
+
+# I can define a trait with some type parameters say trait Test<A, B, C>. When I use this trait is there a way to get Dafny to infer these types for me?
+
+
+## Question
+
+I can define a trait with some type parameters say trait `Test<A, B, C>`. When I use this trait is there a way to get Dafny to infer these types for me?
+
+## Answer
+
+Type inference, though quite extensive in its effect, only works within the bodies of functions and methods.
+Types in signatures and actual values for type parameters need to be written explicitly.
+
+When type inference is used (within a body), types are determined by how they are used, not just be initializing
+expressions. So the inferred type in a declaration may depend on code that appears textually after the declaration.
+Here is some example code:
+```dafny
+class C<X(0)> {
+  static method M() returns (x: X) {
+  }
+
+  method P() {
+    var x0 := M();        // type of x0 inferred to be X, from M()'s signature
+    var x1 := C<int>.M(); // type of x1 inferred to be int
+    var x2: int := C.M(); // M() instantiated with int
+
+    var x3 := C.M();      // error: type of x3 is underspecified
+    var x4: int := M();   // error: M() instantiated with X, but x4 has type int
+  }
+}
+```
+
+# Does Dafny have monadic error handling?
+
+
+## Question
+
+Does Dafny have monadic error handling?
+
+## Answer
+
+Yes.
+
+In particular, see the section of the reference manual on [Update with Failure statements](../DafnyRef/DafnyRef#sec-update-failure).
+The (draft) standard library includes [some types needed for error handling](https://github.com/dafny-lang/libraries/blob/master/src/Wrappers.dfy).
+
+You can define your own monadic error type by following examples in the RM and the draft library. A simple case is
+```dafny
+datatype Outcome<T> =
+            | Success(value: T)
+            | Failure(error: string)
+{
+  predicate IsFailure() {
+    this.Failure?
+  }
+  function PropagateFailure<U>(): Outcome<U>
+    requires IsFailure()
+  {
+    Failure(this.error) // this is Outcome<U>.Failure(...)
+  }
+  function Extract(): T
+    requires !IsFailure()
+  {
+    this.value
+  }
+}
+```
+
+# What is the `:-` operator? How does it work?
+
+
+## Question
+
+What is the `:-` operator? How does it work?
+
+## Answer
+
+This operator is called the _elephant operator_ (because it has a trunk).
+It is used to write code that exits on failure (much like exceptions in other programming languages or the ? operator in Rust).
+The topic is discussed at length in
+the section of the reference manual on [Update with Failure statements](../DafnyRef/DafnyRef#sec-update-failure).
+
+In brief, Dafny permits methods to return values of _failure-compatible_ types. If the result of a method is being assigned to a variable with the `:-` operator and the result is a failure, then the method exits immediately, with the failure being propagated to the calling method.
+
+# What is the `:-` operator? How does it work?
+
+
+## Question
+
+What is the `:-` operator? How does it work?
+
+## Answer
+
+This operator is called the _elephant operator_ (because it has a trunk).
+It is used to write code that exits on failure (much like exceptions in other programming languages or the ? operator in Rust).
+The topic is discussed at length in
+the section of the reference manual on [Update with Failure statements](../DafnyRef/DafnyRef#sec-update-failure).
+
+In brief, Dafny permits methods to return values of _failure-compatible_ types. If the result of a method is being assigned to a variable with the `:-` operator and the result is a failure, then the method exits immediately, with the failure being propagated to the calling method.
+
+# What is the meaning of and differences among `->`, `-->`, `~>`?
+
+
+## Question
+
+What is the meaning of and differences among `->`, `-->`, `~>`?
+
+## Answer
+
+These are all used in designating the type of functions; they are sometimes called _arrow types_.
+In each case, `A -> B` is the type of a function taking an argument of type `A` and producing a value of type `B`;
+The function argument types can be enclosed in parentheses, and if the number of arguments is not 1 or the argument is a tuple type, then the argument types must be enclosed in parentheses. For example,
+`(A, B) -> C` is a type of function that takes two arguments; `((A, B)) -> C` takes as argument a 2-tuple.
+
+The three symbols in the question denote different sorts of types of functions:
+- `->` denotes a _total_ function that is independent of the heap; it may not have a `requires` clause (precondition) or a `reads` clause
+- `-->` denotes a _partial_ function; it may have a precondition, but may not have a `reads` clause, and so it also is independent of the heap
+- `~>` denotes a _partial_ and possibly _heap-dependent_ function; it may have `requires` and `reads` clauses
+
+If a function is independent of the heap, it is useful to say so, either in its declaration or the type that describes it. The value returned by a heap-independent function depends only on its arguments and not on the program state; 
+thus it is easier to reason about its properties. Working with heap-dependent functions is much more difficult than with heap-independent functions, so use `->` or `-->` if you can. And note that Dafny does not support polymorphic arrow types.
+
+# What is the difference between `function`, `method`, `function method`, and `function by method`?
+
+
+## Question
+
+What is the difference between `function`, `method`, `function method`, and `function by method`?
+
+## Answer
+
+The names of these alternatives will be changing between Dafny 3 and Dafny 4:
+
+- `function` (`function method` in Dafny 3) -- is a non-ghost function
+- `ghost function` (`function` in Dafny 3) -- is a ghost function
+- _function by method_ is a ghost function with an alternate compilable (non-ghost) method body (cf. [the reference manual section on function declarations](../DafnyRef/DafnyRef#sec-function-declarations))
+- `method` declares a non-ghost method
+- `ghost method` declares a ghost method, though this is almost always done using a `lemma` instead
+
+Note that
+- Methods may have side effects but may not be used in expressions.
+- Functions may be used in expressions but may not have side effects.
+- Methods do not have reads clauses; functions typically do.
+- Non-ghost methods and non-ghost functions may not be used in ghost code.
+
+# Is it possible to restrict a type parameter to be a reference type? I see you can use T(!new) but I’m looking for the opposite.
+
+
+## Question
+
+Is it possible to restrict a type parameter to be a reference type? I see you can use `T(!new)` but I’m looking for the opposite.
+
+## Answer
+
+No. The only restrictions available (as of version 3.7.3) are
+- `T(==)` - type supports equality
+- `T(0)` - type is auto-initializable
+- `T(00)` - type is non-empty
+- `T(!new)` - type may **not** be a reference type or contain a reference type
+
+See the [appropriate section of the reference manual](../DafnyRef/DafnyRef#sec-type-parameter-variance) for more information.
+
+# A `seq` is an object reference, right?
+
+
+## Question
+
+A `seq` is an object reference, right?
+
+## Answer
+
+No. Types in Dafny are either heap-dependent (reference) types or strict value-types. Built-in types are typically value types.
+Value types are heap independent, though they may be stored in the heap as part of an object.
+
+Value types include `bool`, `int`, `char`, `real`, `ORDINAL`, datatypes and co-datatypes, arrow types, bit-vector types, `seq`, `set`, `iset`, `multiset`, `map`, `imap`, `string`, tuple types,  and subset or newtypes with value type bases.
+
+Reference types are classes, traits, arrays, and iterators.
+
+The values of value types are immutable; new values may be computed but are not modified. Integers are a good mental
+model for value types, but in Dafny, datatypes, sequences, sets, and maps are also immutable values. 
+Note that though the values of these types are immutable,
+they may contain instances of reference types (which might be mutable).
+
+# How do I pattern match against a head and tail of a sequence or against a set?
+
+
+## Question
+
+How do I pattern match against a head and tail of a sequence or against a set?
+
+## Answer
+
+You can't. Match [expressions](../DafnyRef/DafnyRef#sec-match-expression) and [statements](../DafnyRef/DafnyRef#sec-match-statement) operate on `datatype` values and not on other Dafny types like sets, sequences, and maps. If statements, perhaps with [binding guards](../DafnyRef/DafnyRef#sec-binding-guards), may be an alternative.
+
+
+# How do I create a new empty map (or set or sequence)?
+
+
+## Question
+
+How do I create a new empty map (or set or sequence)?
+
+## Answer
+
+An empty sequence is denoted by `[]`, an empty set by `{}`, an empty multiset by `multiset{}`,  and an empty map by
+`map[]`. The type of the empty collection is typically inferred from its subsequent use.
+
+The various operations on values of these types are described [in the reference manual section on Collection Types](../DafnyRef/DafnyRef#sec-collection-types).
+
+# I have a module that exports a bunch of things. In another module I only need to use 1 thing. Is there a way to import only the thing that I want?
+
+
+## Question
+
+I have a module that exports a bunch of things. In another module I only need to use 1 thing. Is there a way to import only the thing that I want?
+
+## Answer
+
+The short answer is: use an export set.
+
+Here is an example. Suppose you have this code:
+``` dafny
+module A {
+  export JustJ reveals j
+  const i: int := 64
+  const j: int := 128
+}
+module B {
+  //import opened A // imports both i and j
+  import opened A`JustJ // just imports j
+}
+```
+The `export` directive in module `A` just exports the name `j` in the export set `JustJ`.
+So then you can import just `j` in `B` by importing ``A`JustJ``.
+
+You can create as many export sets as you like, for different contexts.
+See the details [here](../DafnyRef/DafnyRef#sec-export-sets-and-access-control).
+
+This feature does put the onus of defining the groups of exportable names on the supplying module.
+Your question asks for such control by the receiving module. The best course for the receiving
+module is to not use `import opened` and just use a qualified name for the one thing that is being used from the
+supplying module.
+
+# What is the difference between modifies this, modifies this.x, and modifies this`x?
+
+
+## Question
+
+What is the difference between `modifies this`, `modifies this.x`, and ``modifies this`x``?
+
+## Answer
+
+A `modifies` clause for a method lists object references whose fields may be modified by the body of the method.
+- `this` means that all the fields of the `this` object may be modified by the body
+- `this.x` (where `x` is a field of `this` and has some reference type) means that fields of `x` may be modified (but not the field `x` itself of `this`)
+- ``this`x`` means that just the field `x` of `this` may be modified (and not any other fields, unless they are listed themselves)
+
+If there are multiple items listed in the modifies clause, the implicit clause is the union of all of them.
+More on framing (`modifies` and `reads` clauses) can be found in the [reference manual section on Framing specifications](../DafnyRef/DafnyRef#sec-frame-expression).
+
+# How does one define a record?
+
+
+## Question
+
+How does one define a record?
+
+## Answer
+
+The Dafny `datatype` feature lets you define simple or complex records, including recursive ones.
+
+A simple enumeration record might be defined as
+```dafny
+datatype ABCD = A | B | C | D
+```
+Variables of type `ABCD` can take one of the four given values.
+
+A record might also be a single alternative but with data values:
+```dafny
+datatype Date = Date(year: int, month: int, day: int)
+```
+where a record instance can be created like `var d := Date(2022, 8, 23)` and componenents retrieved like `d.year`.
+
+There can be multiple record alternatives each holding different data:
+```dafny
+datatype ABCD = A(i: int) | B(s: string) | C(r: real) | D
+const a: ABCD := A(7)
+const b: ABCD := B("asd")
+const c: ABCD := C(0.0)
+const d: ABCD := D
+```
+
+You can determine which alternative a record value is with the built-in test functions: with the definitions above, `a.A?` is true and `b.C?` is false. And you can extract the record alternative's
+data: in the above `a.i` is well-defined if `a.A?` is true, in which case it has the value `7`.
+
+There is more description of datatypes [here](../DafnyRef/DafnyRef#sec-algebraic-datatype).
+
+# "What does `forall v :: v in vals ==> false` evaluate to if `vals` is non-empty?"
+
+
+## Question
+
+What does `forall v :: v in vals ==> false` evaluate to if `vals` is non-empty?
+Should it be false? I’m having some problem proving the last assertion in Dafny.
+
+```dafny
+assert vals != [];
+assert MatchingResult() == (forall v :: v in vals ==> false);
+assert !MatchingResult();
+```
+
+## Answer
+
+The problem here is the trigger on the quantification expression.
+Dafny sees the `forall` quantifier but uses it only when there is a `v in vals` fact in the context for some v (this is what the annotation on the forall in the VSCode IDE means: Selected triggers: {v in vals}).  So until you give it a concrete fact to "trigger" on, it doesn't use your quantifier.
+
+It is not recommended that users insert triggers in their Dafny code. Rather, it is better to reorganize the 
+quantification expressions to make the desired trigger more obvious to the Dafny tool.
+Here are two references that explain triggers in more detail:
+- [A wiki page on triggers](https://github.com/dafny-lang/dafny/wiki/FAQ#how-does-dafny-handle-quantifiers-ive-heard-about-triggers-what-are-those)
+- [Pages 2--4 of this paper](https://pit-claudel.fr/clement/papers/dafny-trigger-selection-CAV16.pdf)
+
+# "Why does Dafny complain about this use of a set constructor: `set i: int | Contains(i)`?"
+
+
+## Question
+
+Why does Dafny complain about this use of a set constructor: `set i: int | Contains(i)`?
+Here is an example:
+```dafny
+module test {
+
+  ghost const things: set<int>
+
+  predicate Contains(t: int) 
+  {
+    t in things
+  }
+
+  function ThisIsOk(): set<int> {
+    set i: int | i in things && i > 0
+  }
+
+  function ThisIsNotOk(): set<int> {
+    set i: int | Contains(i) && i > 0
+  }
+
+}
+```
+
+which produces the error "the result of a set comprehension must be finite, but Dafny's heuristics can't figure out how to produce a bounded set of values for 'i'".
+
+## Answer
+
+In constructing a `set`, which must be finite, Dafny must prove that the set is indeed finite.
+When the constructor has `i in things` inlined, Dafny can see that the set of values of `i` for which the predicate is true can be no larger than `things`, which is already known by declaration to be 
+a finite set. However, when the predicate is `Contains`, Dafny cannot in general see that fact.
+The Dafny's heuristic for determining that the constructor is producing a finite set does not
+inspect the body of `Contains` even though that is a transparent function. Note that if the constructor and the return type of `ThisIsNotOK` is made `iset`, Dafny does not complain.
+
+An alternate general way to refine a set is given by this example:
+```dafny
+module test {
+
+  ghost const things: set<int>
+
+  function RefineThings(condition: int -> bool): set<int>
+  {
+    set t: int | t in things && condition(t)
+  }
+
+  function ThisIsOk(): set<int> {
+    set i: int | i in things && i > 0
+  }
+
+  function ThisIsOkAgain(): set<int> {
+    RefineThings(i => i > 0)
+  }
+}
+```
+
+# What's the syntax for paths in include directives? How do they get resolved?
+
+
+## Question
+
+What's the syntax for paths in include directives? How do they get resolved?
+
+## Answer
+
+An include directive  is the `include` keyword followed by a string literal (in quotes).
+The string is a conventional file path for the OS on which you are running and is the full file name with extension.
+The filepath can be either absolute or relative; if relative, it is relative to the current working directory 
+(i.e., the result of `pwd` on Linux).
+
+As of version 3.7.3, there is no "include path" that might allow paths relative to other locations, but it is a feature request.
+
+# How do `{:split_here}` and `{:focus}` work to divide up a proof?
+
+
+## Question
+
+How do `{:split_here}` and `{:focus}` work to divide up a proof?
+
+## Answer
+
+Verifying a method requires proving a large number of assertions.
+Dafny uses a backend prover (an SMT solver) to verify assertions. The prover may become better or worse at verifying an assertion if you ask it to also verify another assertion. 
+Dafny allows you to split up a group of assertions into batches, where each batch is sent to the SMT solver separately, so the verification of each batch is not influenced by the others.
+
+
+One default way of operating is to combine all assertions into one batch, leading to a single run of the prover. 
+ However, even when this is more efficient than the combination of proving each
+assertion by itself (with prover start-up costs and the like for each one), it can also take quite a while to give a final result, possibly even timing-out.
+
+So sometimes it is preferable to prove each assertion by itself, using the `-vcsSplitOnEveryAssert` command-line option.
+
+But there are also intermediate options. Look at the various command-line options under "Verification-condition splitting".
+
+Another way to split up the way in which assertions are grouped for proof is to use the two attributes `{:focus}` and `{:split_here}`,
+both of which are applied to assert statements.
+
+In brief, `{:focus}` says to focus on the block in which the attribute appears. Everything in that block is one assertion batch and everything
+outside that block is another assertion batch. It does not matter where in the block the `{:focus}` attribute appears. If there are multiple
+`{:focus}` attributes, each block containing one (or more) is one assertion batch, and everything outside of blocks containing `{:focus}` attributes
+is a final assertion batch. This attibute is usually used to break out if-alternatives or loop-bodies into separate verification attempts.
+
+`{:split_here}` creates an assertion batch of all assertions strictly before the attributed statement and another of the assertions at or after
+the attributed statement. This attribute is usually used to break up long stretches of straight-line code.
+
+Some examples that show how this works for multiple nested blocks are given in the reference manual, [here](../../DafnyRef/DafnyRef#sec-focus) and [here](../../DafnyRef/DafnyRef#sec-split_here).
+
+# How does one declare a type to have a "default" initial value, say a type tagged with {:extern}?
+
+
+## Question
+
+How does one declare a type to have a "default" initial value, say a type tagged with {:extern}?
+
+## Answer
+
+There is no general way to do this. Subset types and newtypes have [witness](../DafnyRef/DafnyRef/#sec-witness-clauses) clauses and types that are [auto-initializable](../DafnyRef/DafnyRef#sec-auto-init)
+have a default, but those rules do not apply to anonymous extern types.
+Particularly for abstract types, there is not even a way to infer such a value.
+
+You can manually initialize like this:
+```dafny
+type {:extern} TT {
+}
+function {:extern} init(): TT
+
+method mmm() {
+  var x: TT := init();
+  var y:= x;
+}
+```
+
+
+# A module A has names from an `import opened` of another module B, but if C imports A, it does not get those names. Please explain.
+
+
+## Question
+
+A module A has names from an `import opened` or another module B, but if C imports A, it does not get those names. Please explain.
+
+## Answer
+
+Here is some example code:
+```dafny
+module A {
+  const a: int := 0
+}
+
+module B {
+  import opened A
+  const b: int := a; // This is A.a, known as a here because of the import opened
+}
+
+module C {
+  import opened B
+  const c: int := b; // This is B.b because of the import opened
+  const d: int := A.a; // B.A is known as A because of the import opened in B
+  const e: int := a; // ILLEGAL - opened is not transitive
+}
+```
+
+The `import opened` directive brings into the importing module all the names declared in the imported module,
+including the names of modules from import statements in the importee, but not names introduced into the importee (here `B`) by an import opened directive. `opened` is not transitive. As shown in the example code, the names in `A` are still available in `C` by qualifying them.
+
+# Are there functional alternatives to recursive calls that are more efficient or use less stack space?
+
+
+## Question
+
+Are there functional alternatives to recursive calls that are more efficient or use less stack space?
+
+## Answer
+
+One way to reduce the number of recursive calls is to use Dafny's function-by-method construct to give a better performing implementation.
+For example
+```dafny
+function Fib(n: nat): nat {
+  if n < 2 then n else Fib(n-1) + Fib(n-2)
+}
+```
+it a very natural but quite inefficient implementation of the Fibonacci function (it takes `Fib(n)` calls of `Fib` to compute `Fib(n)`, though only to a stack depth of `n`).
+
+With function-by-method we can still use the natural recursive expression as the definition but provide a better performing implementation:
+```dafny
+function Fib(n: nat): nat
+ {
+  if n < 2 then n else Fib(n-1) + Fib(n-2)
+} by method {
+  var x := 0;
+  var y := 1;
+  for i := 0 to n 
+    invariant x == Fib(i) && y == Fib(i+1)
+  {
+    x, y := y, x+y;
+  }
+  return x;
+}
+```
+This implementation both combines the two computations of Fib and also, more importantly, turns a tail recursive recursion into a loop.
+
+# How do I read a file as a string?
+
+
+## Question
+
+How do I read a file as a string? 
+
+## Answer
+
+You can't in pure Dafny. Not yet. Such a capability will eventually be part of a standard IO library.
+
+What you can do is to write such a function in another language, say Java, and then use it in Dafny by extern declarations.
+
+# Can I ask Dafny to not check termination of a function?
+
+
+## Question
+
+Can I ask dafny to not check termination of a function?
+
+## Answer
+
+Functions must always terminate, and it must be proved that they terminate.
+
+Methods on the other hand should also terminate , but you can request the the proof be skipped using `decreases *`, as in
+```dafny
+method inf(i: int)
+    decreases *
+  {
+      inf(i); 
+  }
+```
+
+Eventually you should put an actual termination metric in place of the `*` and prove termination.
+The reference manual has more information about termination metrics [in the section on `decreases` clauses](../DafnyRef/DafnyRef#sec-decreases-clause).
+
+# What does {:termination false} do on trait? It looks like it is required if I want to extend traits from other modules.
+
+
+## Question
+
+What does `{:termination false}` do on trait? It looks like it is required if I want to extend traits from other modules.
+
+## Answer
+
+The attribute turns off termination checking for the trait. Here is an example
+```dafny
+module foo1 {
+
+  trait {:termination false} Foo {
+    method bar()
+  }
+
+  class Baz{
+
+    static method boz(foo: Foo){ foo.bar(); }
+
+  }
+}
+module foo2 {
+
+  import opened foo1
+
+  class Boz extends Foo {
+
+    method bar(){
+      Baz.boz(this);
+    }
+  }
+}
+```
+In this example, omitting `{:termination false}` provokes the error "class 'Boz' is in a different module than trait 'foo1.Foo'. A class may only extend a trait in the same module, unless the parent trait is annotated with {:termination false}.".
+
+The `{:termination false}` is only needed when there is dynamic dispatch across module boundaries.
+It does put the onus on the user to prove termiation, as Dafny is no longer doing so.
+The origin of this situation has to do with the interaction of current decreases clauses and traits.
+
+Dafny decreases clauses were designed before the language had dynamic dispatch via trait members. As such, decreases clauses are made to be as simple as possible within each module, and decreases clauses are unnecessary across modules. When dynamic dispatch was added to the language, a draconian restriction was put in place to maintain soundness, namely to disallow dynamic dispatch across module boundaries. This is enforced by insisting that a class that implements a trait is declared in the same module that declares the trait.
+
+The draconian restriction outlaws the useful case where a trait is placed in a library. Indeed, we are seeing this in [`dafny-lang/libraries`](https://github.com/dafny-lang/libraries/) now. So, Dafny supports a way for users to lift the draconian restriction and instead take responsibility themselves for termination of dynamically dispatched calls via a trait--it is to mark the trait with `{:termination false}`.
+
+The status of solutions to this problem are discussed [here](https://github.com/dafny-lang/dafny/issues/1588).
+
+# How do I make Dafny termination checking happy with mutual recursion?
+
+
+## Question
+
+How do I make Dafny termination checking happy with mutual recursion, like the following example:
+```dafny
+datatype T = Y | N | B(T,T)
+
+function f(x : T) : bool {
+    match x {
+        case Y => true
+        case N => false
+        case B(x,y) => g(x,y)
+    }
+}
+
+function g(x : T, y : T) : bool {
+    f(x) && f(y)
+}
+```
+
+If `g` is inlined there is no problem. What should I do?
+
+## Answer
+
+Termination of recursion is proved using a `decreases` clause. For the single function
+Dafny can successfully guess a decreases metric. But for this mutual recursion case,
+the user must supply on.
+
+The termination metric for a recursive datatype (like `T` here) is the height of the tree denoted by the argument `x`, in this case.
+So there is definitely a decrease in the metric from the call of `f` to the call of `g`, but there is not when `g` calls `f`.
+One solution to this situation is the following:
+```dafny
+datatype T = Y | N | B(T,T)
+
+function f(x : T) : bool 
+  decreases x, 1
+{
+    match x {
+        case Y => true
+        case N => false
+        case B(x,y) => g(x,y)
+    }
+}
+
+function g(x : T, y : T) : bool 
+  decreases B(x,y), 0
+{
+    f(x) && f(y)
+}
+```
+Here when `f` calls `g`, the metric goes from `x, 1` to `B(x.x, x.y), 0`. Because `x` is the same as `B(x.x, x.y)`, the lexicographic ordering looks
+at the next component, which does decrease from `1` to `0`. Then in each case that `g` calls `f`, the metric goes from `B(x,y), 0` to `x,1` or `y,1`,
+which decreases on the first component.
+
+Another solution, which is a pattern applicable in other circumstances as well, is to use a ghost parameter as follows:
+```dafny
+datatype T = Y | N | B(T,T)
+
+function f(x : T) : bool
+  decreases x, 1
+{
+  match x {
+    case Y => true
+    case N => false
+    case B(x',y') => g(x,x',y')
+  }
+}
+
+function g(ghost parent: T, x : T, y : T) : bool
+  decreases parent, 0
+  requires x < parent && y < parent
+{
+  f(x) && f(y)
+}
+```
+
+More on the topic of termination metrics can be found [here](../DafnyRef/DafnyRef#sec-decreases-clause).
+
+# Can it be proved that a class instance is not an instance of a trait?
+
+
+## Question
+
+Can it be proved that a class instance is not an instance of a trait, as in the following example?
+```dafny
+trait A<T> {}
+
+class B {}
+
+lemma Foo(v: object)
+  ensures v is B ==> !(v is A<object>)
+{}
+```
+
+## Answer
+
+No. Although the lemma is valid and may be stated as an axiom, Dafny does not internally model
+the type hierarchy and so does not have the information to prove that statement.
+Such an axiom would have to be manually checked against the type hierarchy if the definitions of 
+the types involved were to change.
+
+# Is there a nice way to turn a `set` into a `seq`?
+
+
+## Question
+
+Is there a nice way to turn a set into a seq?
+
+## Answer
+
+There is as yet no built-in simple function but there are various idioms that can accomplish this task.
+
+Within a method (where you can use a while loop), try `var acc: seq<int> := []; 
+  while s != {} { var x: int :| x in s; acc := acc + [x]; s := s - {x}; }`
+
+You could use a function-by-method to encapsulate the above in a function.
+
+Here is an extended example taken from  [Dafny Power User: Iterating over a Collection](http://leino.science/papers/krml275.html).
+
+```dafny
+function SetToSequence<A(!new)>(s: set<A>, R: (A, A) -> bool): seq<A>
+  requires IsTotalOrder(R)
+  ensures var q := SetToSequence(s, R);
+    forall i :: 0 <= i < |q| ==> q[i] in s
+{
+  if s == {} then [] else
+    ThereIsAMinimum(s, R);
+    var x :| x in s && forall y :: y in s ==> R(x, y);
+    [x] + SetToSequence(s - {x}, R)
+}
+
+lemma ThereIsAMinimum<A(!new)>(s: set<A>, R: (A, A) -> bool)
+  requires s != {} && IsTotalOrder(R)
+  ensures exists x :: x in s && forall y :: y in s ==> R(x, y)
+```
+
+# How do I declare a default value for a parameter of a method or function?
+
+
+## Question
+
+How do I declare a default value for a parameter of a method or function?
+
+## Answer
+
+The parameters of methods and functions can be referred to by name.
+```dafny
+  method m( i: int,  j: int, k: int) {}
+  method q() {
+    m(4, k:= 7, j:=8);
+
+  }
+```
+In the left-to-right sequence of actual arguments, once a parameter is referred to by name, all the rest must also be referred to by name. The named arguments may be in any order.
+
+Furthermore, arguments can be given default values.
+```dafny
+  method m( i: int,  j: int, k: int := 0) {}
+  method q() {
+    m(4, 4, k:=8);
+    m(1, j:=2);
+    m(1,2);
+  }
+```
+In the left-to-right sequence of actual arguments, once a parameter is given a default value, all the rest must also have a default value. Arguments may still be referred to by name, but now any named
+argument with a default is optional. If there are no names at all, then it is always the last
+arguments that are omitted if the actual argument list is shorter than the formal parameter list,
+and they must all have defaults.
+
+Finally, a parameter may be declared as `nameonly`, in which case it must be referred to by name.
+```dafny
+  method m( i: int,  j: int, nameonly k: int := 0, q: int := 8) {}
+  method q() {
+    // m(4, 4, 8 ); // Error
+    m(4, 4, q:=9);
+    m(4, 4, k:=8);
+  }
+```
+Such a parameter may but does not need to have default value, but if it does not, it cannot be omitted.
+
+# I just realized that a function I was compiling had a type error inside a match case.  Instead of giving a compile error I was getting a redundant clause warning for the second case. What is the reason for this?
+
+
+## Question
+
+I just realized that a function I was compiling had a type-error inside a match case.  Instead of giving a compile error I was getting a redundant clause warning for the second case. What is the reason for this?
+
+## Answer
+
+Here is a situation that can cause this error:
+```dafny
+datatype AB = A | B
+method test(q: AB) {
+  var c := match q { case a => true case b => false };
+}
+```
+The example has an error on the second `case` saying this branch is redundant.
+
+The problem here is that both `a` and `b` are undeclared variables. Consequently they both match
+in match expression `q` no matter what `q`'s value is. Because `a` matches no matter what, 
+the second case is redundant.
+
+What is usually intended by such code is something like this:
+```dafny
+datatype AB = A | B
+method test(q: AB) {
+  var c := match q { case A => true case B => false };
+}
+```
+which causes no type errors.
+
+The observation here is that misspelled type names in case patterns can cause silent unexpected  behavior. It is likely that a lint warning will be produced for the above anti-pattern in some future version of Dafny.
+
+# Is there a way I can pass a variable with a generic type to a method with a concrete type?
+
+
+## Question
+
+Is there a way I can pass a variable with a generic type to a method with a concrete type? Here is some motivating code:
+```dafny
+predicate Goo<K, V>(m: map<K, V>)
+  requires m.keyType is string // Can I do something like this?
+{ Foo(m) }
+
+predicate Foo<V>(m: map<string, V>)
+```
+
+## Answer
+
+In short, no.
+
+There are a few problems here. First there is no way to extract the type of the keys of a map as a _type_ value. Dafny does not have the capability to reason about 
+types as first-class entities. In fact the `is` operator takes a value and a type, not two types.
+
+We could try writing the precondition as `requires m.Keys is set<string>`, but that is not permitted either as `m.Keys` is a `set<K>` and is not comparable to `set<string>` with `is`.
+ 
+
+# How can ghost code call methods with side effects?
+
+
+## Question
+
+How can ghost code call methods with side effects?
+
+## Answer
+
+Ghost code may not have any effect on non-ghost state, but ghost code can have effects on ghost state.
+So a ghost method may modify ghost fields, as long as the specifications list the appropriate fields in
+the appropriate modifies clauses. The example code below demonstrates this:
+
+```dafny
+  class C {
+    ghost var c: int
+
+    ghost method m(k: int)
+      modifies this
+      ensures c == k
+    { 
+      c := k;
+    }
+
+    ghost method p() {
+      var cc := new C;
+      cc.m(8);
+      assert cc.c == 8;
+    }
+  }
+```
+
+# How do I create and use an iterator?
+
+
+## Question
+
+How do I create and use an iterator?
+
+## Answer
+
+Here is an example of an iterator:
+```dafny
+iterator Gen(start: int) yields (x: int)
+  yield ensures |xs| <= 10 && x == start + |xs| - 1
+{
+  var i := 0;
+  while i < 10 invariant |xs| == i {
+    x := start + i;
+    yield;
+    i := i + 1;
+  }
+}
+```
+An instance of this iterator is created using
+```dafny
+iter := new Gen(30);
+```
+It is used like this:
+```
+method Main() {
+  var i := new Gen(30);
+  while true
+    invariant i.Valid() && fresh(i._new)
+    decreases 10 - |i.xs|
+  {
+    var m := i.MoveNext();
+    if (!m) {break; }
+    print i.x;
+  }
+}
+```
+Here the method `MoveNext` and the field `xs` (and others) are automatically created, 
+as decribed in the [reference manual](../DafnyRef/DafnyRef#sec-iterator-types).
+
+Note that the syntax of iterators is under discussion in the Dafny development team and may change or have additional alternatives in the future.
+
+# Can classes appear in specs?
+
+
+## Question
+
+Can classes appear in specs?
+
+## Answer
+
+Class types can be argument types for a method or function and the corresponding formal parameter can then be mentioned in specs.
+Within the specs, you can call functions (ghost or not) of those classes.
+
+However, there are some limitations:
+- Primarily, the `new` operator may not be used in a specification, so new class objects cannot be allocated in the spec
+- Note also that class objects are on the heap; as heap objects they will need to be mentioned in reads clauses.
+
+# "How do I write specifications for a lambda expression in a sequence constructor?"
+
+
+## Question
+
+How do I write specifications for a lambda expression in a sequence constructor?
+
+## Answer
+
+Consider the code
+```dafny
+class C {
+  var p: (int, int);
+}
+
+function Firsts0(cs: seq<C>): seq<int> {
+  seq(|cs|, i => cs[i].p.0) // Two errors: `[i]` and `.p`
+}
+```
+
+Dafny complains about the array index and an insufficient reads clause in the lambda function.
+Both of these need specifications, but where are they to be written.
+
+The specifications in a lamda function expression are written after the formal aarguments
+but before the `=>`.
+
+The array index problem is solved by a `requires` clause that limits the range of the index::
+```dafny
+class C {
+  var p: (int, int);
+}
+
+function Firsts0(cs: seq<C>): seq<int> {
+  seq(|cs|, i requires 0 <= i < |cs| => cs[i].p.0) // Two errors: `[i]` and `.p`
+}
+```
+
+and the reads complaint by a `reads` clause that states which objects will be read.
+In this case, it is the objects `cs[i]` that have their `p` field read.
+If the element type of `cs` were a value type instead of a reference type, this
+`reads` clause would be unnecessary.
+
+```dafny
+class C {
+  var p: (int, int);
+}
+
+function Firsts2(cs: seq<C>): seq<int>
+  reads set i | 0 <= i < |cs| :: cs[i]
+{
+  seq(|cs|, i
+    requires 0 <= i < |cs|
+    reads set i | 0 <= i < |cs| :: cs[i] => cs[i].p.0)
+}
+```
+
+# I have a lemma and later an assert stating the postcondition of the lemma, but it fails to prove. Why and how do I fix it?
+
+
+## Question: I have a lemma and later an assert stating the postcondition of the lemma, but it fails to prove. Why and how do I fix it?
+
+I have this lemma
+```dafny
+    lemma MapKeepsCount<X,Y,Z>(m : map<X,Y>, f : (X) -> Z)
+      requires forall a : X, b : X :: a != b ==> f(a) != f(b)
+      ensures |m| == |map k <- m.Keys :: f(k) := m[k]|
+```
+and later on this code
+```dafny
+MapKeepsCount(schema, k => Canonicalize(tableName, k));
+assert |schema| == |map k <- schema.Keys | true :: Canonicalize(tableName, k) := schema[k]|;
+```
+
+The final assert fails, even though it exactly matches the ensures of the lemma.
+What am I missing? 
+
+If the lemma is an axiom, one can try to assume the post condition right before the assertion. 
+But that failed in this case
+
+```dafny
+MapKeepsCount(schema, k => Canonicalize(tableName, k));
+assume |schema| == |map k <- schema.Keys | true :: Canonicalize(tableName, k) := schema[k]|;
+assert |schema| == |map k <- schema.Keys | true :: Canonicalize(tableName, k) := schema[k]|;
+```
+
+Which makes no sense.
+I even put the function into a variable, and this still fails
+```dafny
+assume |schema| == |map k <- schema.Keys :: fn(k) := schema[k]|;
+assert |schema| == |map k <- schema.Keys :: fn(k) := schema[k]|;
+```
+
+## Answer:
+
+The explanation is a little involved, and in the end gets into a weakness of Dafny. But these is a workaround. Here goes:
+
+To prove that the `|map …|` expression in the specification has the same value as the `|map …|` expression in the code, 
+the verifier would either have to compute the cardinality of each map (which it can’t do, because `m.Keys` is symbolic and could stand for any size set) 
+or reason that the one `map …` is the very same map as the other `map …` (in which case it would follow that the cardinality of the two maps are also the same).
+The way to prove that two maps are equal is to show that they have the same keys and the same mappings. 
+The idea of proving two things equal by looking at the “elements” of each of the two things is called extensionality. 
+Dafny never tries to prove extensionality, but it’s happy to do it if you ask it to. 
+For example, if `G` is a function that you know nothing about and you ask to prove
+```dafny
+assert G(s + {x}) == G({x} + s + {x});
+```
+then Dafny will complain. You have to first establish that the arguments to these two invocations of `G` are the same, which you can do with an assert:
+```dafny
+assert s + {x} == {x} + s + {x};
+assert G(s + {x}) == G({x} + s + {x});
+```
+
+Here, Dafny will prove the first assertion (which it actually does by proving that the sets are elementwise equal) and will then use the first assertion to prove the second.
+Going back to your example, Dafny needs to know that the two `map`s are equal. To help it along, perhaps you could mention the two in an assertion, like
+
+`assert map … == map …;`
+
+But you can’t do that here, because the two map expressions are in different scopes and use different variables.
+To establish that the two maps are equal, we thus need to do something else. 
+If the two of them looked the same, then Dafny would know that the are the same. 
+But the form is slightly different, because you are (probably without thinking about it) instantiating a lambda expression. 
+To make them the same, you could rewrite the code to:
+```dafny
+  var F := k => Canonicalize(tableName, k);
+  MapKeepsCount(schema, F);
+  assert |schema| == |map k <- schema.Keys | true :: F(k) := schema[k]|;
+```
+
+Now, this `map …` syntactically looks just like the one in the lemma postcondition, but with `schema` instead of `m` and with `F` instead of `f`. 
+When two map comprehensions (or set comprehensions, or lambda expressions) are syntactically the same like this, then Dafny knows to treat them the same.
+Almost. 
+Alas, there’s something about this example that makes what I said not quite true (and I didn’t dive into those details just now). 
+There is a workaround, and this workaround is often useful in places like this, so I’ll mention it here. 
+The workaround is to give the comprehension a name. Then, if you use the same name in both the caller and callee, 
+Dafny will know that they are the same way of constructing the map. 
+The following code shows how to do it: 
+```dafny
+lemma MapKeepsCount<X, Y, Z>(m: map<X, Y>, f: X -> Z)
+  requires forall a: X, b: X :: a != b ==> f(a) != f(b)
+  ensures |m| == |MyMap(f, m)|
+
+ghost function MyMap<X, Y, Z>(f: X -> Y, m: map<X, Z>): map<Y, Z>
+  requires forall a <- m.Keys, b <- m.Keys :: a != b ==> f(a) != f(b)
+{
+  map k <- m.Keys :: f(k) := m[k]
+}
+
+method Use<X,Y,Z>(schema: map<X,Y>, tableName: TableName)
+  requires forall a : X, b : X :: a != b ==> Canonicalize(tableName, a) != Canonicalize(tableName, b)
+{
+  var F := k => Canonicalize(tableName, k);
+  MapKeepsCount(schema, F);
+  assert |schema| == |MyMap(F, schema)|;
+}
+
+
+type TableName
+
+function SimpleCanon<K>(t: TableName, k: K): int
+
+```
+
+It manually introduces a function `MyMap`, and by using it in both caller and callee, the code verifies.
+
+# Why can't I write 'forall t: Test :: t.i == 1' for an object t?
+
+
+## Question:
+
+Why can't I write `forall t: Test :: t.i == 1` for an object t?
+
+## Answer:
+
+This code
+
+```dafny
+trait Test {
+ var i: int
+}
+class A {
+  predicate testHelper() {
+    forall t: Test :: t.i == 1
+    // a forall expression involved in a predicate definition is not allowed to depend on the set of allocated references,
+  }
+}
+```
+
+can be better written as
+
+```dafny
+trait Test {
+ var i: int
+}
+class A {
+  ghost const allTests: set<Test>
+  predicate testHelper() reads allTests {
+    forall t: Test <- allTests :: t.i == 1
+  }
+}
+```
+
+That way, if you want to assume anything about the Test classes that you are modeling extern, 
+you only need to specify an axiom that says that whatever Test you have was in allTests, 
+which could have been a pool of Test objects created from the start anyway, and then you can use your axiom. 
+# How do I say 'reads if x then this\`y else this\`z'? Dafny complains about the 'this'.
+
+
+## Question: 
+
+How do I say 'reads if x then this\`y else this\`z'? Dafny complains about the 'this'.
+
+## Answer:
+
+Here is some sample code that show a workaround.
+
+```dafny
+trait Test {
+  var y: int
+  var z: int
+  function {:opaque} MyFunc(x: bool): int
+    reads (if x then {this} else {})`y, (if x then {} else {this})`z {
+    if x then y else z
+  }
+}
+
+```
+# How do I model extern methods that return objects?
+
+
+## Question: 
+
+How do I model extern methods that return objects?
+
+
+## Answer:
+
+When modeling extern functions that return objects, it's usually not good to have specifications that return objects. 
+It's better to have a predicate that takes the input of a function, an object, and relates the two to each other.
+
+For example:
+
+```dafny
+trait {:extern} {:compile false} Test {
+  var i: int
+  var y: int
+}
+trait {:extern} {:compile false} Importer {
+  function Import(i: int): (r: Test)
+    ensures r.i == i
+
+  method {:extern} {:compile false} DoImport(i: int) returns (r: Test)
+    ensures r == Import(i)
+
+  predicate Conditions(i: int) {
+     && var r := Import(i);
+     && r.y == 2
+  }
+}
+```
+
+In this case, it's better to write a predicate, and use existential quantifiers along with the `:|` operator, 
+and there is no need to prove uniqueness because we are in ghost code!
+
+```dafny
+trait {:extern} {:compile false} Test {
+  var i: int
+}
+trait {:extern} {:compile false} Importer {
+  predicate IsImported(i: int, r: Test) {
+    r.i == i
+  }
+  method {:extern} {:compile false} DoImport(i: int) returns (r: Test)
+    ensures IsImported(i, r)
+
+  predicate Conditions(i: int) {
+     && (exists r: Test :: IsImported(i, r))
+     && var r :| IsImported(i, r);   // Note the assignment has changed.
+     && r.y == 2
+  }
+}
+```
+
+# How do I tell Dafny that a class field may be updated?
+
+
+## Question
+
+I get a "call might violate context's modifies clause" in the following context.
+I have a field in a class that is is an array whose elements are being modified by a call, but the field does not exist when the enclosing method
+is called. So how do I tell Dafny that it can be modified?
+
+Here is an example situation:
+```dafny
+class WrapArray {
+  var intarray: array<int>; 
+  constructor (i:int) 
+    requires i > 0
+  {
+    this.intarray := new int[i];
+  }
+  method init(i: int)
+    modifies intarray
+  {
+    var index: int := 0;
+    while (index < intarray.Length){
+      intarray[index] := i;
+      index := index+1;
+    }
+  }
+}
+
+method Main()
+{
+  var sh:= new WrapArray(5);
+  sh.init(4);
+}
+```
+
+## Answer
+
+When dafny is asked to verify this, it complains about the call `sh.init` that it modifies objects that
+Main does not allow. Indeed `sh.init` does modify the elements of `sh.intarray` and says so in its `modifies` clause,
+but that array does not even exist, nor is `sh` in scope, in the pre-state of `Main`. 
+So where should it be indicated that `sh.intarray` may be modified?
+
+The key is in the fact that neither `sh` nor `sh.intarray` is allocated in `Main`'s pre-state. `Main` should be allowed 
+to modify objects that are allocated after the pre-state. Indeed `Main` knows that `sh` is newly allocated, so its fields
+may be changed. That is, we are allowed to assign to `sh.intarray`. But here we want to change the state of `sh.intarray`,
+not `sh`. The array is newly allocated, but `Main` does not know this.
+After all, it is possible that the constructor initialized `sh.intarray` with some existing array and changing that array's elements
+would change the state of some other object. We need to tell `Main` that the constructor of `WrapArray` allocates a new 
+array of ints. The syntax to do that is to add a postcondition to the constructor that says `fresh(intarray)`.
+
+Writing the constructor like this
+
+```dafny
+  constructor (i:int)
+    requires i>0
+    ensures fresh(intarray)
+  {
+      this.intarray := new int[i];
+  }
+  
+```
+
+solves the problem.
+
+# "Why does Dafny not know this obvious property of maps?"
+
+
+** Question: Why does Dafny not know this obvious property of maps?
+
+I have this simple program:
+
+```dafny
+method mmm<K(==),V(==)>(m: map<K,V>, k: K, v: V) {
+    var mm := m[k := v];
+    assert v in mm.Values;
+  }
+```
+
+The value `v` has just been inserted into the map. Why can't Dafny prove that `v` is now an element of the map?
+
+** Answer
+
+Dafny does not include all possible properties of types in its default set of axioms. The principal reason for this
+is that including all axioms can give Dafny too much information, such that finding proofs becomes more time-consuming
+for all (or most) problems. The trade-off is that the user has to give hints more often.
+
+In this particular example, in order for Dafny to prove that `v` is in `mm.Values`, it needs to prove that
+`exists k': K :: k' in mm.Keys && mm[k'] == v`. This is a difficult assertion to prove; the use of the axiom is not triggered
+unless there is some term of the form `_ in mm.Keys` present in the assertions. So the proof is made much easier if we
+first assert that `k in mm.Keys`; then Dafny sees immediately that `k` is the `k'` needed in the exists expression.
+So
+```dafny
+method mmm<K(==),V(==)>(m: map<K,V>, k: K, v: V) {
+    var mm := m[k := v];
+    assert k in mm.Keys;
+    assert v in mm.Values;
+  }
+```
+proves just fine.
+
+# I can't prove the equivalence between the method part of a `function by method`` and the function itself
+
+
+## Question
+
+I can't prove the equivalence between the method part of a function by method and the function itself.
+It seems that my invariants can't be maintained by the loop, and I don't know how to prove them.
+
+## Answer
+
+Consider the simple problem of computing the sum of a sequence of integers.
+You might be tempted to immediately write the following equivalence,
+with your best guess of an invariant
+and a hint at the end to help Dafny realize that the result is correct.
+However you cannot prove the invariant you just wrote.
+
+```
+{% include_relative FAQFunctionByMethodProof1.dfy %}
+```
+
+Let's unroll the computation of the function on a sequence of 3 elements.
+The function will compute:
+
+`s[0] + (s[1] + (s[2] + 0))`
+
+But the loop will compute
+
+`((0 + s[0]) + s[1]) + s[2]`
+
+In the function, we add the first element (`s[0]`) to the result of computing the sum of the remaining elements (`s[1] + (s[2] + 0))`).
+In the by method, we add the last element (`s[2]`) to the accumulator, which contains the sum of the initial terms (`(0 + s[0]) + s[1]`).
+If it was not the case that the addition was associative and 0 was a neutral element, there would be no immediate way to prove that the two computations are equivalent.
+
+There are essentially three solutions around that:
+
+* Improve the invariant, knowing `+` is associative
+* Change the order of computation of the function so that it matches the by method
+* Change the order of computation of the by method so that it matches the function
+
+There are more intrusive solutions, such as making the function tail-recursive by changing the function's signature to include an accumulator or a sequence of callbacks to perform a the end, but we will explore only the one that don't change the signature of `Sum()`.
+
+## Improved invariant
+
+You can change the invariant to be `invariant result + Sum(s[i..]) == Sum(s)`, as below:
+
+```
+{% include_relative FAQFunctionByMethodProof2.dfy %}
+```
+
+This works because, with `result'` being the result at the end of the loop and `+` being associative,
+the lemma `IntermediateProperty()` shows the underlying reasoning that helps prove that the invariant
+is indeed invariant. Dafny can prove it automatically, so the lemma is not needed in the loop body.
+One nice thing is that we can get rid of the final hint.
+
+What if you had an operation more complex that "+", that is not associative?
+This is when you need to ensure the loop and the function are computing in the same order.
+Let's explore how to do so by changing either the function, or the by-method body.
+
+## Make the function compute what the by-method does
+The by-method loop's first addition is 0 plus the first element (`s[0]`) of the sequence. For this to
+be the first addition performed by the function, it has to be at the bottommost level of the call.
+Indeed, each addition is performed after the recursive call finishes. This means that
+the function needs to sum the `n-1` elements first and add the remaining last one.
+
+Since it's exactly what the method computes, it satisfies our initial invariant.
+
+```
+{% include_relative FAQFunctionByMethodProof3.dfy %}
+```
+
+Not only does this approach require more proof hints, but it might also break the proofs that dependend on the shape of the function, while all we wanted in the first place was to give a more efficient implementation to the function.
+Therefore, it's reasonable to expect we will prefer to change the implementation of the by-method body to reflect the function, not the opposite, as follows:
+
+## Make the by-method body compute what the function computes
+
+To compute iteratively what the function computes recursively, you have to find what is the first
+addition that will be computed by the method. As mentioned previously, the first addition is the one performed at the bottommost level of recursion: the first addition is `s[|s|-1] + 0`,
+so the loop has to actually be in reverse, like this:
+
+```
+{% include_relative FAQFunctionByMethodProof4.dfy %}
+```
+
+Note that this approach results in the smallest invariant that actually closely matches the function itself.
+Also, instead of adding to the right of `result`, adding to the left ensures the same order is kept,
+in case the operation was not commutative (so that it would work for sequence append operation).
+# Is there a Dafny style? and a Dafny linter (style checker and bad smell warnings)?
+
+
+## Question
+
+Is there a Dafny style? and a Dafny linter (style checker and bad smell warnings)?
+
+## Answer
+
+There is a Dafny style guide [here](https://dafny.org/dafny/StyleGuide/Style-Guide).
+
+There is not yet a Dafny lint tool (that is, warnings about technically correct but suspicious or poor-style code),
+though a formatter is underway. Warnings about some matters are included in the Dafny parser. 
+However, ideas for lint warnings are being collected and you are welcome to contribute ideas: suggestions can be made on the [issues list](https://github.com/dafny-lang/dafny/issues).
+
+# Is Dafny available as a library, to be called from other software?
+
+
+## Question
+
+Is Dafny available as a library, to be called from other software?
+
+## Answer
+
+Yes, it is. The DafnyPipeline library on NuGet is the most likely candidate for inclusion in a third-party program. 
+
+
+# How do I run boogie manually?
+
+
+## Question
+
+How do I run Boogie manually? What Dafny output and command-line flags do I need?
+
+## Answer
+
+A Boogie file is generated by Dafny using the option `-print`. For example, the command `dafny -print:a.bpl HelloWorld.dfy` will produce a file `a.bpl`. 
+If the `-print` option lacks an argument (the file name), the somewhat confusing message `Error: No input files were specified` is emitted.
+Be cautious: `dafny -print A.dfy B.dfy` may overwrite `A.dfy`.
+You can also use `-print:-` to send the boogie file to the standard output.
+
+To run boogie, it is most convenient to install boogie directly. See https://github.com/boogie-org/boogie.
+Dafny invokes Boogie as a library, not as a spawned executable, so there is no Boogie executable in the Dafny installation.
+However, the version of Boogie that Dafny uses corresponds to Boogie 2.15.7 (as of Dafny 3.7.3). 
+
+
+On a simple _Hello World_ program, `boogie a.bpl` is sufficient. Dafny does rely on these default Boogie options
+- `smt.mbqi` is set `false`
+- `model.compact` is set `false`
+- `model.v2` is set `true`
+- `pp.bv_literals` is set `false`
+
+Dafny also sets these non-default Boogie options:
+- `auto_config` is set `false`
+- `type_check` is set `true`
+- `smt.case_split` is set `3`
+- `smt.qi.eager_threshold` is set `100`
+- `smt.delay_units` is set `true`
+- `smt.arith.solver` is set `2`
+
+These all however are subject to change, especially as the version of Boogie used changes
+
+In addition, Dafny sends a variety of other command-line options to Boogie, depending on selections by the user and heuristics built-in to Dafny.
+Some guide to the available (Dafny) options that are passed through to Boogie are [in the reference manual](../../DafnyRef/DafnyRef#sec-controlling-boogie).
+
+# Does Dafny verify methods in parallel?
+
+
+## Question
+
+Does Dafny verify methods in parallel?
+
+## Answer
+
+When used on the command-line, Dafny verifies each method in each module sequentially
+and attempts to prove all the assertions in a method in one go.
+However, you can use the option `/vcsCores` to parallelize some of the activity
+and various options related to _verification condition splitting_ can break up the work
+within a method.
+
+When used in the IDE, the default is concurrent execution of proof attempts.
+
+
+# Is there a doc generator for Dafny?
+
+
+## Question
+
+Is there a doc generator for Dafny?
+
+## Answer
+
+Not one produced by the Dafny team or included in a Dafny release.
+This 3rd-party tool was reported by users: [https://github.com/nhweston/dfydoc](https://github.com/nhweston/dfydoc).
+
+
+# How can I improve automation and performance for programs with non-linear arithmetic?
+
+
+## Question
+
+How can I improve automation and performance for programs with non-linear arithmetic?
+
+## Answer
+
+There are some switches (/arith and the somewhat deprecated /noNLarith) that reduce the automation you get with nonlinear arithmetic; they improve the overall proof success by using manually introduced lemmas instead. There are now also many lemmas about nonlinear arithmetic in the Dafny standard library.
+
+# It looks like, when compiling to C#, my print statements don't show up if I don't have \n at the end of the string.
+
+
+## Question
+
+It looks like, when compiling to C#, my print statements don't show up if I don't have \n at the end of the string.
+
+## Answer
+
+The desired output is present in all current Dafny backends. But note that
+if the print statement does not include the `\n`, then the output may not either.
+In that case the output may be (depending on the shell you are using)
+concatenated with the prompt for the next user input.
+
+For example,
+```dafny
+method Main() {
+  print "Hi";
+}
+```
+produces (with a bash shell)
+```
+mydafny $ dafny run --target=cs Newline.dfy 
+
+Dafny program verifier finished with 0 verified, 0 errors
+Himydafny $
+```
+
+# Is there a standard library for Dafny?
+
+
+## Question
+
+Is there a standard library for Dafny?
+
+## Answer
+
+No, but one is planned. Some sample code is at [https://github.com/dafny-lang/libraries](https://github.com/dafny-lang/libraries). Contributions and ideas are welcome.
+
+# Why do I need to use an old version of Z3?
+
+
+## Question
+
+Why do I need to keep using an old version of Z3?
+
+## Answer
+
+It is correct that the version of Z3 used by Dafny (through Boogie) is an old version.
+Although the Dafny team would like to upgrade to newer versions of Z3 (to take advantage
+of bug fixes, at a minimum), so far the newer versions of Z3 perform more poorly on
+Dafny-generated SMT for many test cases.
+
+# How do I ask a question or file a problem report or make a suggestion about Dafny?
+
+
+## Question
+
+How do I ask a question or file a problem report or make a suggestion about Dafny?
+
+## Answer
+
+You can ask questions about Dafny
+- on Stack Overflow, tagged as 'dafny': [https://stackoverflow.com/questions/tagged/dafny](https://stackoverflow.com/questions/tagged/dafny)
+
+You can report issues
+- On the Dafny Issues log: [https://github.com/dafny-lang/dafny/issues](https://github.com/dafny-lang/dafny/issues)
+
+Documentation about Dafny is available at [https://dafny.org](https://dafny.org) and links from there.
+
+# Any plans to release the language server as a NuGet package? Seems like it’s not part of the Dafny release.
+
+
+## Question
+
+Any plans to release the language server as a NuGet package? Seems like it’s not part of the Dafny release.
+
+## Answer
+
+It is now available on NuGet, along with other components of the Dafny:
+([https://www.nuget.org/packages?q=dafny](https://www.nuget.org/packages?q=dafny)):
+
+# What compiler target langages are in development?
+
+
+## Question
+
+What compiler target langages are in development?
+
+## Answer
+
+As of version 3.7.3
+- C#, Javascript, Java, and Go are well-supported
+- Python is under development
+- Limited support for C++ is available
+- Rust support is being planned
+
+# "Error: z3 cannot be opened because the developer cannot be verified"
+
+
+This error occurs on a Mac after a new installation of Dafny, with Z3.
+It is a result of security policies on the Mac.
+
+You can fix the result by running the shell script `allow_on_mac.sh`
+that is part of the release.
+
+The problem can arise with other components of Dafny as well.
+
+
+# "Error: rbrace expected"
+
+
+The error "rbrace expected"
+is a common occurence caused by some parsing error within a brace-enclosed block, such as a module declaration, a class declaration, or a block statement.
+The error means that the parser does not expect whatever characters it next sees. Consequently, the parser just says that it expects the block to be closed by a right curly brace (`}`).
+Indeed, one cause might be an inadvertently omitted right brace.
+
+Here are some other examples:
+
+- A misspelled keyword introducing the next declaration
+```
+{% include_relative ERROR_Rbrace4.dfy %}
+```
+- A `const` initializer follows ':=', not '='
+```
+{% include_relative ERROR_Rbrace1.dfy %}
+```
+- A field (`var`) does not take an initializer
+```
+{% include_relative ERROR_Rbrace3.dfy %}
+```
+- A field (`var`) does not take an initializer, and if it did it would follow a `:=`, not a `=`
+```
+{% include_relative ERROR_Rbrace2.dfy %}
+```
+
+# "Error: closeparen expected"
+
+
+## Question
+
+What causes the error "Error: closeparen expected" as in
+
+```dafny
+{% include_relative ERROR_CloseParen.dfy %}
+```
+producing
+```text
+{% include_relative ERROR_CloseParen.txt %}
+```
+
+## Answer
+
+You are writing a Java/C parameter declaration. In Dafny, parameter declarations have the form `name: type`, so
+```dafny
+method test(i: int) { ... }
+```
+
+# "Error: cannot establish the existence of LHS values that satisfy the such-that predicate"
+
+
+Here is example code that produces this error:
+```dafny
+{% include_relative ERROR_NoLHS.dfy %}
+```
+
+
+When a _such-that_ (`:|`) initialization is used, Dafny must be able to establish that there is at least one value
+that satisfies the predicate given on the RHS. 
+That is, in this case, it must prove
+`assert exists k :: k in m;`.
+But for this example, if the map `m` is empty, there is no such value,
+so the error message results.
+
+If you add a precondition that the map is non-empty, then the error is gone:
+```
+{% include_relative ERROR_NoLHS1.dfy %}
+```
+
+# "Error: type parameter 0 (K) passed to type A must support no references"
+
+
+Ordinarily, a type parameter `X` can be instantiated with any type.
+
+However, in some cases, it is desirable to say that `X` is only allowed to be instantiated by types that have certain characteristics. One such characteristic is that the type does not have any references.
+
+A “reference”, here, refers to a type that is or contains a reference type. Reference types are class and trait types. So, if a type parameter is restricted to only “no reference” types, then you cannot instantiate it with a class type or a trait type.
+A datatype can also include a reference. For example,
+datatype MyDatatype = Ctor(x: MyClass)
+More subtly, a type
+datatype D<X> = Ctor(x: X)
+might also contain a reference type if `X` is a type that can contain a reference type.
+
+
+If you’re getting the “no reference” error, then you’re either trying to write an unbounded quantifier over a type that may contain references, or you’re trying to use a type that may contain references to instantiate a type parameter restricted to no-reference types.
+Type characteristics that a type parameter must satisfy are written in parentheses after the type name and are separated by commas. For example, to say that a type parameter `X` must not contain any references, you would declare it as `X(!new)`. To further ensure it supports compile-time equality, you would declare it as `X(!new,==)`.
+Presumably, you’re trying to instantiate a type parameter like `X(!new)` with a type that may contain references.
+
+There is more discussion of type parameter characteristics in the [reference manual](../../DafnyRef/DafnyRef#sec-type-parameters).
+
+# "Error: a modifies-clause expression must denote an object or a set/iset/multiset/seq of objects (instead got map<int, A>)"
+
+
+
+Here is example code that produces the given error message:
+```dafny
+{% include_relative ERROR_ModifiesValue.dfy %}
+```
+
+The expression in the modifies clause is expected to be a set of object references.
+It is permitted also to be a comma-separated list of object references or sets or sequences of such references.
+In this example, the expression is none of these; instead it is a `map`.
+`map`s are values and so are not modified; new values are created, just like an integer is not modified  one computes a different integer value.
+
+If the intent here is to say that any of the `A` objects stored in the map may be modified, then one has to construct a set of all those objects.
+For a map, there is an easy way to do this: just say `m.Values`, as in this rewrite of the example:
+```
+{% include_relative ERROR_ModifiesValue1.dfy %}
+```
+
+# "Error: name of datatype (String) is used as a function?"
+
+
+How do I fix this error message: "name of datatype (String) is used as a function"?
+
+```dafny
+module MString {
+  export provides String
+  datatype String = String(s: string)
+}
+module MX {
+  import opened MString
+  const S := String("asd")
+}
+```
+
+The names visible in module `MX` are the datatype `String` but not its constructor, since 
+the dataype is only imported as `provides`.
+Consequently, the only option for the name `String` in module `MX` is that datatype, 
+which then causes the error message.
+
+The fix to this is to declare the export as `export reveals String`.
+If `String` is meant to be opaque (only provided) then you cannot construct elements of it; 
+if it is meant to be transparent, then you must reveal it.
+
+# "Error: possible violation of function precondition for op(v)"
+
+
+Here is code that provoked this error (though the error message as been made more specific in later releases):
+```dafny
+ghost function Eval(): string -> bool {
+   EvalOperator(Dummy)
+}
+
+ghost function EvalOperator(op: string -> bool): string -> bool 
+{
+  (v: string) => op(v)
+}
+
+function Dummy(str: string): bool
+  requires str == []
+```
+
+The problem has to do with [arrow types](../../DafnyRef/DafnyRef#sec-arrow-types).
+In particular here, the argument of `EvalOperator` takes a `->` function, which is a total, heap-independent function.
+However, its argument, `Dummy`, is a partial, heap-independent function, because it has a precondition.
+If you want `EvalOperator` to be flexible enough to take partial functions, then declare `op` to have the type
+`string --> bool`.
+
+There is more on arrow types in the [reference manual](../DafnyRef/DafnyRef.html#sec-arrow-subset-types);
+
+# "Error: type ? does not have a member IsFailure"
+
+
+The `IsFailure` member is a necessary part of [_failure-compatible_ types](../..//DafnyRef/DafnyRef#sec-failure-compatible-types), which are used with the `:-` operator.
+See the discussion in the reference manual for more detail.
+
+# "Error: value does not satisfy subset constraints of T"
+
+
+The error "value does not satisfy subset constraints of T"
+for some type name `T` arises when a value is trying to be converted to a subset type `T`,
+and the value cannot be proved to satisfy the predicate that defines the subset type.
+
+This is pretty clear when one is trying to assign, say an `int` to a `nat`, but is more complex when using generic types.
+
+This example
+```dafny
+{% include_relative ERROR_Covariance.dfy %}
+```
+produces
+```text
+{% include_relative ERROR_Covariance.txt %}
+```
+
+The problem is that the code is trying to convert a `formula<neg>` to a `formula<real>`.
+While a `neg` is a subtype of `real`, that does not imply a subtype relationship between
+`formula<neg>` and `formula<real>`.
+That relationship must be declared in the definition of `formula`.
+By default, the definition of a generic type is _non-variant_, meaning there is no
+subtype relationship between `formula<T>` and `formula<U>` when `T` is a subtype of `U`.
+What is wanted here is for `formula` to be _covariant_, so that
+`formula<T>` is a subtype of `formula<U>` when `T` is a subtype of `U`.
+For that, use the declaration `formula<+T>`.
+
+To declare `formula` as _contravariant_ use `formula<-T>`. Then `formula<U>` is a subtype of `formula<T>` when `T` is a subtype of `U`.
+
+Type parameter characteristics are discussed in [the reference manual](../DafnyRef/DafnyRef.html#sec-type-parameter-variance)
+
+# "Error: function precondition might not hold"
+
+
+This error can occur when trying to write a sequence comprehension expression like
+```dafny
+{% include_relative ERROR_SeqComp.dfy %}
+```
+which produces
+```text
+{% include_relative ERROR_SeqComp.txt %}
+```
+
+The problem is that current Dafny does not implicitly impose the condition that the function used to initialize the 
+sequence elements is only called with `nat` values less than the size of the new sequence. That condition has to be made explicit:
+```dafny
+{% include_relative ERROR_SeqComp1.dfy %}
+```
+
+# "Error: insufficient reads clause to invoke function"
+
+
+Example: This code
+```
+{% include_relative ERROR_InsufficientReads.dfy %}
+```
+produces this output:
+```
+{% include_relative ERROR_InsufficientReads.txt %}
+```
+
+This error message indicates that a nested call of a function needs a bigger `reads` set than its enclosing function provides.
+
+Another situation provoking this error is this:
+```dafny
+class A {
+  var x: int
+  predicate IsSpecial() reads this {
+    x == 2
+  }
+}
+type Ap  = x : A | x.IsSpecial() witness *
+```
+In this case the error message is a bit misleading. The real problem is that the predicate in the subset declaration (that is, `x.IsSpecial()`)
+is not allowed to depend on the heap, as `IsSpecial` does. If such a dependency were allowed, then changing some values in the heap could
+possibly change the predicate such that a value which was allowed in the subset type now suddenly is not. This situation would be a disaster for both
+soundness and ease of reasoning.
+
+Another variation on the above is this example:
+```dafny
+trait A { var x: int }
+type AZero = a: A | a.x == 0 witness *
+```
+where again the predicate depends on a heap variable `x`, which Dafny does not permit.
+
+And a final example:
+```dafny
+datatype Foo = Foo | Foofoo
+
+class Bar {
+  var foo: set<Foo>;
+  function method getFoo(): set<Foo> { this.foo }
+}
+```
+which produces `Error: insufficient reads clause to read field`. In this case the function `getFoo` does indeed have an insufficient reads clause, as
+it does not have one, yet it reads a field of `this`. You can insert either `reads this` or ``reads this`foo`` before the left brace.
+
+The code in the original question is fixed like this:
+```
+{% include_relative ERROR_InsufficientReads1.dfy %}
+```
+
+# Cannot export mutable field 'x' without revealing its enclosing class 'A'
+
+
+An example of this error is the code
+```dafny
+{% include_relative ERROR_MutableField.dfy %}
+```
+which produces the error
+```text
+{% include_relative ERROR_MutableField.txt %}
+```
+
+By only providing `A`, importers will know that `A` is a type, 
+but won’t know that it is a reference type (here, a class). 
+This makes it illegal to refer to a mutable field such as in the reads clause. 
+So, you have to export A by revealing it.
+
+Note, `export reveals A` does not export the members of A 
+(except, it does export the anonymous constructor of A, if there is one). 
+So, you still have control over which members of A to export.
+
+The following code verifies without error:
+```dafny
+{% include_relative ERROR_MutableField1.dfy %}
+```
+
+
+
+# "Error: this symbol not expected in Dafny"
+
+
+This error message is not clear and may come from a variety of sources. Here is one:
+```dafny
+{% include_relative ERROR_PostconditionLemma.dfy %}
+```
+which produces 
+```text
+{% include_relative ERROR_PostconditionLemma.txt %}
+```
+
+The error message points to the token `true` as the unexpected symbol.
+`true` is definitely a legitimate symbol in Dafny.
+
+The problem is that the `;` in the `ensures` clause is seen as the (optional) semicolon that can end
+the clause. Thus the `true` is interpreted as the (illegal) start to a new clause (or a `{` to start the body).
+
+The correct way to include a lemma with the postcondition is to use parentheses:
+`ensures (L(); true)
+
+# "Prover error: Unexpected prover response (getting info about 'unknown' response): (:reason-unknown 'Overflow encountered when expanding old_vector')"
+
+
+This error is caused by a bug in the Z3 backend tool used by Dafny. 
+As of v3.9.0 there is work underway to update Z3 to a more recent version.
+Until then, the best you can do is to try to change the verification condition sent to Z3 by splitting it up, using various Dafny options and attributes like `{:split_here}`, `{:focus}`, `/vcsSplitOnEveryAssert`, `/vcsMaxSplits`, and `/randomSeed`.
+
+
+# "Duplicate name of import: ..."
+
+
+This error results from importing two modules with the same name. For example
+```dafny
+import A.Util
+import B.util
+```
+In this case, the default name given to the two imports is the same: `Util`.
+To give them different names, use the longer form of the import statement
+```dafny
+import A.Util
+import BU = B.Util;
+```
+Now a name `N` from `A.Util` can  be referred to as `Util.N` and
+a name `N` from `B.Util` can be referred to as `BU.N`.
+
+# "Warning: /!\ No terms found to trigger on."
+
+
+This warning occurred with the following code:
+```dafny
+predicate ExistsSingleInstance(s : string32, delim : string32)
+  {
+    exists pos : nat ::
+      (pos <= |s| - |delim| && forall x : nat :: x < |delim| ==> s[pos + x] == delim[x]) &&
+      forall pos' : nat :: (pos' <= |s| - |delim| && forall y : nat :: y < |delim| ==> s[pos' + y] == delim[y]) ==> pos == pos'
+  }
+```
+
+The verifier uses quantifications by finding good ways to instantiate them.
+More precisely, it uses `forall` quantifiers by instantiating them and it proves `exists` quantifiers by finding witnesses for them.
+The warning you’re getting says that nothing stands out to the verifier as a good way to figure out good instantiations.
+
+In the case of `pos`, this stems from the fact that a good instantiation would be some `pos` for which the verifier already knows either `pos <= …` or `forall x :: …`, the former of which is not specific enough and the latter is too complicated for it to consider.
+
+The “no trigger” warning is fixed by this refactoring:
+```dafny
+predicate SingleInstance(s: string, delim: string, pos: nat)
+{
+  pos <= |s| - |delim| &&
+  forall x : nat :: x < |delim| ==> s[pos + x] == delim[x]
+}
+
+predicate ExistsSingleInstance'(s: string, delim: string)
+{
+  exists pos : nat ::
+    SingleInstance(s, delim, pos) &&
+    forall pos' : nat :: SingleInstance(s, delim, pos') ==> pos == pos'
+}
+```
+
+One more remark: The “no trigger” warning should be taken seriously, because it’s usually a sign that there will be problems with using the formula and/or problems with verification performance.
+
+# "Error: value does not satisfy the subset constraints of '(seq<uint8>, Materials.EncryptedDataKey) -> seq<uint8>' (possible cause: it may be partial or have read effects)"
+
+
+Here is an example of submitted code that produced this error:
+```dafny
+function EncryptedDataKeys(edks: Msg.EncryptedDataKeys):  (ret: seq<uint8>)
+  requires edks.Valid()
+{
+    UInt16ToSeq(|edks.entries| as uint16) + FoldLeft(FoldEncryptedDataKey, [], edks.entries)
+}
+
+function FoldEncryptedDataKey(acc: seq<uint8>, edk: Materials.EncryptedDataKey): (ret: seq<uint8>)
+  requires edk.Valid()
+{
+    acc + edk.providerID + edk.providerInfo + edk.ciphertext
+}
+```
+
+The general cause of this error is supplying some value to a situation where (a) the type of the target (declared variable, formal argument) is a subset type and (b) Dafny cannot prove that the value falls within the predicate for the subset type. In this example code, `uint8` is likely a subset type and could be at fault here.
+But more likely and less obvious is supplying `FoldEncryptedDataKey` as the actual argument to `FoldLeft`.
+
+The signature of `FoldLeft` is `function {:opaque} FoldLeft<A,T>(f: (A, T) -> A, init: A, s: seq<T>): A`.
+Note that the type of the function uses a `->` arrow, namely a total, heap-independent function (no requires or reads clause).
+But `FoldEncryptedDataKey` does have a requires clause. Since `->` functions are a subset type of partial, heap-dependent `~>` functions,
+the error message complains about the subset type constraints not being satisfied.
+
+These various arrow types are described in the [release notes](https://github.com/dafny-lang/dafny/releases/tag/v2.0.0)
+when they were first added to the language. They are also documented in the [reference manual](../DafnyRef/DafnyRef#sec-arrow-types).
diff --git a/v4.10.0/HowToFAQ/testfiles/a.dfy b/v4.10.0/HowToFAQ/testfiles/a.dfy
new file mode 100644
index 0000000..e69de29
diff --git a/v4.10.0/HowToFAQ/testsource/BadDoo.doo b/v4.10.0/HowToFAQ/testsource/BadDoo.doo
new file mode 100644
index 0000000..9653b51
--- /dev/null
+++ b/v4.10.0/HowToFAQ/testsource/BadDoo.doo
@@ -0,0 +1 @@
+Bad doo format
diff --git a/v4.10.0/HowToFAQ/testsource/TestA.dfy b/v4.10.0/HowToFAQ/testsource/TestA.dfy
new file mode 100644
index 0000000..87feb2d
--- /dev/null
+++ b/v4.10.0/HowToFAQ/testsource/TestA.dfy
@@ -0,0 +1,2 @@
+// Intentional error
+const k: int := true
diff --git a/v4.10.0/HowToFAQ/testsource/test1.dfy b/v4.10.0/HowToFAQ/testsource/test1.dfy
new file mode 100644
index 0000000..96a5652
--- /dev/null
+++ b/v4.10.0/HowToFAQ/testsource/test1.dfy
@@ -0,0 +1,3 @@
+method m(i: int) {
+  assert i := -1;
+}
diff --git a/v4.10.0/HowToFAQ/testsource/test2.dfy b/v4.10.0/HowToFAQ/testsource/test2.dfy
new file mode 100644
index 0000000..21414eb
--- /dev/null
+++ b/v4.10.0/HowToFAQ/testsource/test2.dfy
@@ -0,0 +1,2 @@
+const c := 6
+  const d := 7
diff --git a/v4.10.0/HowToFAQ/text1.dfy b/v4.10.0/HowToFAQ/text1.dfy
new file mode 100644
index 0000000..e107130
--- /dev/null
+++ b/v4.10.0/HowToFAQ/text1.dfy
@@ -0,0 +1,6 @@
+module M{
+method {:test} m() {}
+
+method Main() {}
+
+}
diff --git a/v4.10.0/HowToFAQ/text2.dfy b/v4.10.0/HowToFAQ/text2.dfy
new file mode 100644
index 0000000..177bf11
--- /dev/null
+++ b/v4.10.0/HowToFAQ/text2.dfy
@@ -0,0 +1,8 @@
+datatype D = A | B | ghost C
+method m(d: D) returns (r: bool) {
+  r := match d {
+   case A =>true 
+   case B =>true 
+   case C =>true 
+  };
+}
diff --git a/v4.10.0/HowToFAQ/text3.dfy b/v4.10.0/HowToFAQ/text3.dfy
new file mode 100644
index 0000000..db0cb9d
--- /dev/null
+++ b/v4.10.0/HowToFAQ/text3.dfy
@@ -0,0 +1,4 @@
+class A { static const f: int }
+method m(a: A) {
+ var i := A.f; 
+}
diff --git a/v4.10.0/HowToFAQ/text4.dfy b/v4.10.0/HowToFAQ/text4.dfy
new file mode 100644
index 0000000..b27da44
--- /dev/null
+++ b/v4.10.0/HowToFAQ/text4.dfy
@@ -0,0 +1,2 @@
+function f(i: int, j: int): int 
+const c := f(2,3,4)
diff --git a/v4.10.0/HowToFAQ/text5.dfy b/v4.10.0/HowToFAQ/text5.dfy
new file mode 100644
index 0000000..b67be5c
--- /dev/null
+++ b/v4.10.0/HowToFAQ/text5.dfy
@@ -0,0 +1 @@
+const z := 1 as bv4 | 1 as bv2 << 2
diff --git a/v4.10.0/HowToFAQ/text6.dfy b/v4.10.0/HowToFAQ/text6.dfy
new file mode 100644
index 0000000..7d8337a
--- /dev/null
+++ b/v4.10.0/HowToFAQ/text6.dfy
@@ -0,0 +1,4 @@
+datatype Record = Record(x: int, ghost y: int)
+method m(r: Record) returns (rr: Record) {
+  rr := r.(y:=43);
+}
diff --git a/v4.10.0/Installation.md b/v4.10.0/Installation.md
new file mode 100644
index 0000000..991e4b0
--- /dev/null
+++ b/v4.10.0/Installation.md
@@ -0,0 +1,249 @@
+---
+title: Installation Instructions
+---
+
+This page has instructions for installing Dafny by typical users:
+
+* Using IDEs: [VSCode](#Visual-Studio-Code), [Emacs](#Emacs)
+* Installing a binary build ([Windows](#windows-binary), [Linux](#linux-binary), or [Mac](#Mac-binary))
+* [Installing the tools necessary to compile to other languages](#compiling-dafny)
+
+
+* Instructions for creating an environment in which to develop Dafny and compile it from source 
+are in the [Dafny project wiki](https://github.com/dafny-lang/dafny/wiki/INSTALL)
+
+System Requirements
+===================
+
+The `dafny tool` is a .NET 8.0 artifact, but it compiles to native executables on supported platforms.
+That and the Z3 tool are all that is needed to use dafny for verification; additional tools are 
+need for compilation, as described below.
+
+## Operating Systems
+
+In addition to running dafny, the host OS must also be able to run the Z3 executable that is bundled with dafny.
+(The Dafny tools are tested using github runners, which limits the set of platforms that can be tested.)
+
+- Linux: `dafny` is tested on Ubuntu 20.04 and 22.04.
+- MacOS: `dafny` is tested on MacOS 11 (Big Sur) and MacOS 12 (Monterey)
+- Windows: `dafny` is tested on Windows 2019 and Windows 2022
+
+## Compilers {#compiling-dafny}
+
+The Dafny compiler performs two tasks:
+- It translates a Dafny program into a target (source) programming language. This action requires only
+the Dafny tool.
+- The tool launches external processes, including the target language tools installed on the host OS,
+to compile and run the previously generated source code.
+
+In addition, the Dafny toolkit supplies runtime libraries, either in source form or compiled for the target programming language.
+
+### C#
+
+- Dafny targeting C# produces C#10-compatible source code.
+- Only the .NET 8.0 set of tools (which includes the C# compiler) is needed to compile and run the generated C# code.
+- The Dafny runtime library is included as C# source along with the generated C# code, so the user can compile those sources
+and any user code in one project.
+
+### Java
+
+- Dafny targeting Java produces Java 8-compatible source.
+- The 'javac', 'jar, and 'java' executables are needed on the host system to compile and run Dafny-generated Java source code.
+- A Dafny-produced Java program must be run with the supplied DafnyRuntime.jar. This jar is compiled to run with Java 8.
+
+### Javascript
+
+- Dafny targeting Javascript produces Javascript source consistent with Node.js v 16.0.0
+
+### Python
+
+- Dafny targeting Python produces targets Python 3.7 source.
+- Only the python executable is needed to compile and run Dafny-generated Python source code.
+- The Dafny runtime library is included as source, so both the generated code, the library and any user python code can be compiled together
+with the user's choice of python tool (that compiles at least 3.7).
+
+### Go
+
+- Dafny targeting Go produces Go source content consistent with Go 1.18.
+
+### Rust
+
+- Partial and growing support
+
+### C++
+
+C++ has only rudimentary special purpose support at present.
+
+
+Using an IDE
+============
+
+The easiest way to get started with Dafny is using the Dafny IDEs, since they continuously run the verifier in
+the background. Be sure to check out the [Dafny tutorial](https://dafny.org/latest/OnlineTutorial/guide)!
+
+For most users, we recommend using Dafny with VS Code, which has an easy installation, as explained next:
+
+## Visual Studio Code {#Visual-Studio-Code}
+
+0. Install [Visual Studio Code](https://code.visualstudio.com/)
+1. If you are on a Mac or Linux, install .NET 8.0, as described under those platforms below.
+2. In Visual Studio Code, press `Ctrl+P` (or `⌘P` on a Mac), and enter `ext install dafny-lang.ide-vscode`.
+3. If you open a `.dfy` file, Dafny VSCode will offer to download and install the latest Dafny. You can also browse extensions:
+  ![vs-code-dafny-2 0 1-install](https://user-images.githubusercontent.com/3601079/141353551-5cb5e23b-5536-47be-ba17-e5af494b775c.gif)
+
+## Emacs {#Emacs}
+
+The README at [https://github.com/boogie-org/boogie-friends](https://github.com/boogie-org/boogie-friends) has plenty of
+information on how to set-up Emacs to work with Dafny. In short, it boils down
+to running `[M-x package-install RET boogie-friends RET]` and adding the following
+to your `.emacs`:
+```
+(setq flycheck-dafny-executable "[path to dafny]/dafny/Scripts/dafny")
+```
+
+Do look at the README, though! It's full of useful tips.
+
+
+
+Install the binaries from the github releases
+=============================================
+
+The following instructions
+tell you how to install Dafny so that you can run it from various operating systems as a command-line tool.
+
+If you wish to compile to target languages, see the instructions in a subsequent section to
+install the correct dependencies for the desired language.
+
+## Windows (Binary) {#windows-binary}
+
+To install Dafny on your own machine, 
+
+* Install (if not already present) .NET Core 8.0: `https://dotnet.microsoft.com/download/dotnet/8.0`
+* Download the windows zip file from the [releases page](https://github.com/dafny-lang/dafny/releases/latest) and **save** it to your disk. 
+* Then, **before you open or unzip it**, right-click on it and select Properties; at the bottom of the dialog, click the **Unblock** button and then the OK button. 
+* Now, open the zip file and copy its contents into a directory on your machine. (You can now delete the zip file.)
+
+Then:
+
+-   To run Dafny from the command line, simply run `Dafny.exe`.
+
+## Linux (Binary) {#linux-binary}
+
+To install a binary installation of dafny on Linux (e.g., Ubuntu), do the following:
+* Install .NET 8.0. See: `https://docs.microsoft.com/dotnet/core/install/linux` or `sudo apt install dotnet-sdk-8.0`
+* Install the Linux binary version of Dafny, from `https://github.com/dafny-lang/dafny/releases/latest`
+* Unzip the downloaded file in a (empty) location of your choice
+
+Within the unzipped Linux distribution, the dafny executable is `dafny/dafny`
+
+If you intend to use the Dafny compiler, install the appropriate tools as described [here](#compiling-dafny)
+
+After the compiler dependencies are installed, you can run a quick test of the installation by running the script 
+`$INSTALL/dafny/quicktest.sh`
+
+## Mac (Binary) {#Mac-binary}
+
+To install a binary installation of Dafny on macOS, do one of the following:
+
+Either  
+   * Install the Mac binary version of Dafny, from `https://github.com/dafny-lang/dafny/releases/latest`
+   * Unzip the downloaded file in a (empty) location of your choice (`$INSTALL`)
+   * `cd` into the installation directory (`$INSTALL/dafny`) and run the script `./allow_on_mac.sh`
+   * Dafny is run with the command `$INSTALL/dafny/dafny`
+
+or
+   * Install Dafny using brew, with the command `brew install dafny` (the version on brew sometimes lags the
+     project release page)
+   * Run Dafny with the command `dafny`
+
+If you intend to use the Dafny compiler, install the appropriate tools as described [here](#compiling-dafny).
+
+After the compiler dependencies are installed, you can run a quick test of the installation by running the script 
+`$INSTALL/dafny/quicktest.sh`
+
+## NuGet (Binary)
+
+The .NET [NuGet](https://www.nuget.org/) repository collects .NET libraries and tools for easy installation. Dafny is available on NuGet, and can be installed as follows:
+
+* Install .NET 8.0 as described for your platform in one of the subsections above.
+* Install a binary version of Z3 4.12.1 for your platform from its [GitHub releases page](https://github.com/Z3Prover/z3/releases/tag/Z3-4.12.1) and put the `z3` executable in your `PATH`.
+* Install Dafny using `dotnet tool install --global dafny` (or leave out the `--global` to use with `dotnet tool run` from the source directory of a .NET project).
+
+
+## Compiling Dafny {#compiling-dafny}
+
+The instructions here describe the dependencies needed to have the tools to compile to various languages
+and the procedure to use for simple programs.
+
+Note that a pure Dafny program (say `A.dfy`) can be compiled and run in one step using `dafny run A.dfy`
+and can be run for a particular programming language with the `--target` option (the default target is C#). 
+Additional instructions are found in the [Dafny User Guide](DafnyRef/DafnyRef#sec-dafny-run).
+
+### C# (.Net)
+
+Install .NET 8.0:
+* Windows) `https://dotnet.microsoft.com/download/dotnet/8.0`
+* Linux) Install .NET 8.0. See: `https://docs.microsoft.com/dotnet/core/install/linux` or `sudo apt install dotnet-sdk-8.0`
+* Mac) Install .NET 8.0: `brew install dotnet-sdk` or from `https://docs.microsoft.com/dotnet/core/install/macos`
+
+
+To separately compile and run your program for .NET:
+- `dafny build -t:cs MyProgram.dfy`
+- `MyProgram.exe`
+
+
+### Javascript
+
+To set up Dafny to compile to JavaScript (node.js):
+* Install node.js from [https://nodejs.org/en/download](https://nodejs.org/en/download) or
+   * Linux: `sudo apt install nodejs npm` and make sure `node` and `npm` are on your path
+   * Mac: `brew install node`
+
+To separately compile and run your program for JavaScript:
+- `npm install bignumber.js`
+- `dafny build -t:js MyProgram.dfy`
+- `node MyProgram.js`
+
+### Go
+
+To set up Dafny to compile to Go:
+* Install Go from [https://golang.org/dl](https://golang.org/dl) or
+   * Linux: `sudo apt install golang`
+   * Mac: `brew install golang`
+* Install `goimports` from [https://pkg.go.dev/golang.org/x/tools/cmd/goimports](https://pkg.go.dev/golang.org/x/tools/cmd/goimports)
+   * `go install golang.org/x/tools/cmd/goimports@latest`
+* Make sure `go` and `goimports` are on your path
+
+To separately compile and run your program for Go:
+- `dafny build --target:go MyProgram.dfy`
+- `./MyProgram` or ``(cd MyProgram-go; GO111MODULE=auto GOPATH=`pwd` go run src/MyProgram.go )``
+
+### Java
+
+To set up Dafny to compile to Java:
+* Install Java (at least Java 8) from https://www.oracle.com/java/technologies/javase-downloads.html
+  or install Amazon Corretto from https://docs.aws.amazon.com/corretto/latest/corretto-11-ug/what-is-corretto-11.html
+  (see the platform-specific links on the left of that page)
+  or, on a Mac, `brew install java`
+* Install [gradle](https://gradle.org/) or, on a Mac, `brew install gradle`
+
+To separately compile and run your program for Java:
+- `dafny build -t:java MyProgram.dfy`
+- `java -jar MyProgram.jar`
+
+### Python
+
+To setup Dafny to compile to python3:
+* Install python3:
+   * Windows)
+   * Linux)
+   * Mac) Likely already installed in the MacOS, but otherwise use `brew install python3`
+
+To separately compile and run your program for Python:
+- `dafny build -t:py MyProgram.dfy`
+- `python3 MyProgram-py/MyProgram.py`
+
+### Rust
+
+To setup Dafny to compile to Rust:
+* Install Rust from https://rustup.rs/
diff --git a/v4.10.0/KDESyntaxDefinition/dafny.theme b/v4.10.0/KDESyntaxDefinition/dafny.theme
new file mode 100644
index 0000000..c8925df
--- /dev/null
+++ b/v4.10.0/KDESyntaxDefinition/dafny.theme
@@ -0,0 +1,211 @@
+{
+    "text-color": null,
+    "background-color": "#e0e0e0",
+    "line-number-color": "#aaaaaa",
+    "line-number-background-color": null,
+    "text-styles": {
+        "Other": {
+            "text-color": "#8f5902",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Attribute": {
+            "text-color": "#707000",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "SpecialString": {
+            "text-color": "#008080",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Annotation": {
+            "text-color": "#707000",
+            "background-color": null,
+            "bold": true,
+            "italic": true,
+            "underline": false
+        },
+        "Function": {
+            "text-color": "#000000",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "String": {
+            "text-color": "#00a0a0",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "ControlFlow": {
+            "text-color": "#700000",
+            "background-color": null,
+            "bold": true,
+            "italic": false,
+            "underline": false
+        },
+        "Operator": {
+            "text-color": "#ce5c00",
+            "background-color": null,
+            "bold": true,
+            "italic": false,
+            "underline": false
+        },
+        "Punctuation": {
+            "text-color": "#8e3c00",
+            "background-color": null,
+            "bold": true,
+            "italic": false,
+            "underline": false
+        },
+        "Error": {
+            "text-color": "#000000",
+            "background-color": "#ff0000",
+            "bold": true,
+            "italic": false,
+            "underline": false
+        },
+        "BaseN": {
+            "text-color": "#0000b0",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Alert": {
+            "text-color": "#000000",
+            "background-color": "#ff0000",
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Variable": {
+            "text-color": "#000000",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Extension": {
+            "text-color": null,
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Preprocessor": {
+            "text-color": "#8f5902",
+            "background-color": null,
+            "bold": false,
+            "italic": true,
+            "underline": false
+        },
+        "Information": {
+            "text-color": "#8f5902",
+            "background-color": null,
+            "bold": true,
+            "italic": true,
+            "underline": false
+        },
+        "VerbatimString": {
+            "text-color": "#007070",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Warning": {
+            "text-color": "#8f5902",
+            "background-color": null,
+            "bold": true,
+            "italic": true,
+            "underline": false
+        },
+        "Documentation": {
+            "text-color": "#8f5902",
+            "background-color": null,
+            "bold": true,
+            "italic": true,
+            "underline": false
+        },
+        "Import": {
+            "text-color": null,
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Char": {
+            "text-color": "#00a0a0",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "DataType": {
+            "text-color": "#6000ff",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Float": {
+            "text-color": "#0000cf",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Comment": {
+            "text-color": "#00aa00",
+            "background-color": null,
+            "bold": false,
+            "italic": true,
+            "underline": false
+        },
+        "CommentVar": {
+            "text-color": "#8f5902",
+            "background-color": null,
+            "bold": true,
+            "italic": true,
+            "underline": false
+        },
+        "Constant": {
+            "text-color": "#000000",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "SpecialChar": {
+            "text-color": "#803000",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "DecVal": {
+            "text-color": "#0000cf",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Keyword": {
+            "text-color": "#700000",
+            "background-color": null,
+            "bold": true,
+            "italic": false,
+            "underline": false
+        }
+    }
+}
diff --git a/v4.10.0/KDESyntaxDefinition/dafny.theme-comments b/v4.10.0/KDESyntaxDefinition/dafny.theme-comments
new file mode 100644
index 0000000..a9101fe
--- /dev/null
+++ b/v4.10.0/KDESyntaxDefinition/dafny.theme-comments
@@ -0,0 +1,21 @@
+Since json files cannot have comments, here are notes on the Dafny theme categories:
+
+   "text-color"     default color for non-matched text -- null means black
+   "background-color"  color of the background behind the code -- here a light gray
+   "Other"          specification keyword, e.g. requires
+   "Attribute"      attributes, e.g. {:MyAttribute }
+   "String"         standard quoted string, e.g. "abc\n\u2222"
+   "Operator"       standard prefix and infix operators, e.g. + - == ==> in !in .. :
+   "SpecialChar"    non-operator symbols, e.g. ( ) :: etc.
+   "Error"          an error token, e.g. a stand-alone @ or $
+   "BaseN"          hex constants
+   "Variable"       identifiers, e.g. abc 'a 'a'a '\u' array1
+   "VerbatimString" a Dafny verbatim string e.g. @"x" @x"y""z\"
+   "Char"           a single-quoted character, e.g. 'a' '\n' '\u3333'
+   "DataType"       built-in data types, e.g. int seq
+   "Float"          a decimal number, e.g. 1_2.3_4
+   "Comment"        single and multi-line comments, e.g. /* comment */
+   "DecVal"         a natural number, e.g. 123_456
+   "Keyword"        reserved words that are not specification keywords or types, e.g. while
+
+
diff --git a/v4.10.0/KDESyntaxDefinition/dafny.xml b/v4.10.0/KDESyntaxDefinition/dafny.xml
new file mode 100644
index 0000000..2340520
--- /dev/null
+++ b/v4.10.0/KDESyntaxDefinition/dafny.xml
@@ -0,0 +1,245 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE language SYSTEM "language.dtd">
+
+<!-- This a KDE syntax definition file for the dafny language, used by the Rouge syntax highligher
+     when creating highlighted dafny code examples in pandoc-generated pdf files, in particular
+     the Dafny Reference Manual.
+     https://docs.kde.org/trunk5/en/applications/katepart/highlight.html
+-->
+
+<language name="dafny" version="3" kateversion="5.0" section="Sources" extensions="*.dfy" author="Robin Salkeld, David Cok" license="MIT">
+
+  <highlighting>
+    <list name="keywords">
+      <item>abstract</item>
+      <item>allocated</item>
+      <item>as</item>
+      <item>assert</item>
+      <item>assume</item>
+      <item>break</item>
+      <item>by</item>
+      <item>calc</item>
+      <item>case</item>
+      <item>class</item>
+      <item>codatatype</item>
+      <item>colemma</item>
+      <item>const</item>
+      <item>constructor</item>
+      <item>copredicate</item>
+      <item>datatype</item>
+      <item>default</item>
+      <item>else</item>
+      <item>exists</item>
+      <item>expect</item>
+      <item>export</item>
+      <item>extends</item>
+      <item>false</item>
+      <item>forall</item>
+      <item>free</item>
+      <item>fresh</item>
+      <item>function</item>
+      <item>ghost</item>
+      <item>if</item>
+      <item>import</item>
+      <item>in</item>
+      <item>include</item>
+      <item>inductive</item>
+      <item>iterator</item>
+      <item>label</item>
+      <item>lemma</item>
+      <item>match</item>
+      <item>method</item>
+      <item>modify</item>
+      <item>module</item>
+      <item>new</item>
+      <item>newtype</item>
+      <item>null</item>
+      <item>old</item>
+      <item>opened</item>
+      <item>predicate</item>
+      <item>print</item>
+      <item>provides</item>
+      <item>refines</item>
+      <item>return</item>
+      <item>returns</item>
+      <item>reveals</item>
+      <item>static</item>
+      <item>then</item>
+      <item>this</item>
+      <item>trait</item>
+      <item>true</item>
+      <item>twostate</item>
+      <item>type</item>
+      <item>unchanged</item>
+      <item>var</item>
+      <item>where</item>
+      <item>while</item>
+      <item>yield</item>
+      <item>yields</item>
+    </list>
+    <!-- type names that start a generic type are part of a RegExpr below -->
+    <list name="types">
+      <item>bool</item>
+      <item>char</item>
+      <item>int</item>
+      <item>nat</item>
+      <item>object</item>
+      <item>object?</item>
+      <item>real</item>
+      <item>string</item>
+      <item>ORDINAL</item>
+    </list>
+
+    <list name="verification keywords">
+      <item>decreases</item>
+      <item>ensures</item>
+      <item>invariant</item>
+      <item>modifies</item>
+      <item>provides</item>
+      <item>reads</item>
+      <item>requires</item>
+      <item>reveals</item>
+    </list>
+
+    <contexts>
+      <context name="Normal" attribute="Normal Text" lineEndContext="#stay">
+         <!-- NOTE: THE ORDER OF REGEXPR RULES MATTERS:  the first match wins.
+              This fact can be used to simplify later rules,
+              at the risk of introducing errors if the rules are reordered.  -->
+
+        <!-- Either an entire attribute if it has no expressions, or just the opening and attribute name,
+             so that the expressions get their own coloring -->
+        <RegExpr attribute="Attribute" String="\{:\s*[a-zA-Z0-9_'?]+(?:\s+\})?" />
+
+        <!-- Complicated set of rules to distinguish builtin types and identifiers -->
+        <RegExpr attribute="Ident" String="(?:bool|char|int|nat|real|string)[a-zA-Z0-9_'?]+" />
+        <RegExpr attribute="Ident" String="(?:object[?])[a-zA-Z0-9_'][a-zA-Z0-9_'?]*" />
+        <keyword attribute="Types" String="types" context="#stay" />
+        <RegExpr attribute="Types" String="(?:bv(0|[1-9]\d*))(?![a-zA-Z0-9_'?])"/>
+        <RegExpr attribute="Types" String="array(?:1\d+|[2-9]\d*)?[?]?(?![a-zA-Z0-9_'?])"/>
+        <RegExpr attribute="Types" String="(?:seq|set|iset|map|imap|multiset)(?:\s*&lt;)" context="TypeParameters" />
+        <RegExpr attribute="Types" String="(?:seq|set|iset|map|imap|multiset)(?![a-zA-Z_'?0-9])" context="#stay" />
+
+        <!-- Digit sequence ending in _ is an error -->
+        <RegExpr attribute="Error" String="[0-9]+(?:_[0-9]+)*_(?![0-9])" />
+        <RegExpr attribute="BaseN" String="0x[0-9a-fA-F]+(?:_[0-9a-fA-F]+)*" />
+        <RegExpr attribute="Decimal" String="[0-9]+(?:_[0-9]+)*" />
+        <RegExpr attribute="Float" String="[0-9]+(?:_[0-9]+)*\.[0-9]+(?:_[0-9]+)*" />
+
+        <!-- Complicated set of rules to distinguish characters and identifiers -->
+        <!--      Normal quoted character, not followed by an further ident-characters, e.g. 'a' -->
+        <RegExpr attribute="Char" String="\'[^\\]\'(?![a-zA-Z0-9'_?])" />
+        <!--      Escape characters, not followed by any further ident-characters, e.g. '\n' -->
+        <RegExpr attribute="Char" String="\'\\[0ntr'&quot;\\]\'(?![a-zA-Z0-9'_?])" />
+        <!--      Unicode characters, not followed by any further ident-characters, e.g. '\u5555' -->
+        <RegExpr attribute="Char" String="\'\\u[0-9A-Fa-f]{4}\'(?![a-zA-Z0-9'_?])" />
+        <!--      Malformed unicode is an identifier, e.g. '\u2222X' '\u222' '\u222Z' -->
+        <RegExpr attribute="Ident" String="\'\\u[0-9A-Fa-f]{4}[^\']+\'" />
+        <RegExpr attribute="Ident" String="\'\\u[0-9A-Fa-f]{0,3}[^'0-9A-Fa-f]*\'" />
+        <!--      Malformed regular escape is an identifier, e.g. '\Z' -->
+        <RegExpr attribute="Ident" String="\'\\[^0rnt\\'&quot;]\'" />
+
+        <!-- Comments must be before operators -->
+        <Detect2Chars attribute="Comment" char="/" char1="/" context="SingleLineComment" />
+        <Detect2Chars attribute="Comment" char="/" char1="*" context="MultiLineComment" />
+
+        <!-- operators, error chars and punctuation -->
+        <RegExpr attribute="Operators" String="!in(?![0-9a-zA-Z_'?])" />
+        <RegExpr attribute="Operators" String="in(?![0-9a-zA-Z_'?])" />
+        <RegExpr attribute="Operators" String="(?:\+|-|\*|/|%|&lt;(?:=(?:=(?:&gt;)?)?)?|&gt;(?:=)?|=&gt;|==[&gt;#]|!=[#]?|&amp;&amp;|\|\||![!]?|[~]|#|\.\.|:)" />
+        <RegExpr attribute="Error" String="(?:\$)" />
+
+        <RegExpr attribute="Punctuation" String="(?:;|\(|\)|\[|\]|\{|\}|,|\.|:[=|]|`|\|)" />
+
+        <!-- Openings for quoted and verbatim strings -->
+        <DetectChar attribute="String" char="&quot;" context="Quoted String" />
+        <Detect2Chars attribute="VerbatimString" char="@" char1="&quot;" context="Verbatim String" />
+        <!-- @ followed by id is a old expression -->
+        <RegExpr attribute="Punctuation" String="@(?=[ \t]*[_a-zA-Z'?])" />
+        <!-- Standalone @ is a error -->
+        <RegExpr attribute="Error" String="@" />
+
+        <!-- Order of these rules matters; the following three should be after all those above -->
+        <keyword attribute="Assertions" String="verification keywords" context="#stay" />
+        <keyword attribute="Keyword" String="keywords" context="#stay" />
+        <!-- Anything that is not an ident is already matched -->
+        <RegExpr attribute="Ident" String="[a-zA-Z0-9_'?][a-zA-Z0-9_'?]*" />
+
+      </context>
+
+      <context name="TypeParameters" attribute="Types" lineEndContext="#stay">
+        <keyword attribute="Types" String="types" context="#stay" />
+        <RegExpr attribute="Types" String="bv[1-9]\d*(?![a-zA-Z0-9_'?])" context="#stay" />
+        <RegExpr attribute="Types" String="array(?:1\d|[2-9])\d*[?]?(?![a-zA-Z0-9_'?])" context="#stay"/>
+        <RegExpr attribute="Types" String="(?:seq|set|iset|map|imap|multiset)\s*&lt;" context="TypeParameters" />
+        <RegExpr attribute="Types" String="[a-zA-Z_'?][a-zA-Z0-9_'?]*" context="#stay" />
+        <RegExpr attribute="Types" String="\s+" context="#stay" />
+        <RegExpr attribute="Types" String=",(?!\s*[,&gt;])" context="#stay" />
+        <RegExpr attribute="Error" String=",(?=\s*[,&gt;])" context="#stay" />
+        <RegExpr attribute="Types" String="&gt;" context="#pop" />
+        <RegExpr attribute="Error" String="[^a-zA-Z_'?]" />
+      </context>
+
+      <context name="Quoted String" attribute="String" lineEndContext="#pop">
+        <!-- string holds anything other than a double-quote or backslash -->
+        <RegExpr attribute="String" String="[^&quot;\\]+" />
+        <!-- standard 7 escape characters -->
+        <RegExpr attribute="String" String="\\[0nrt'&quot;\\]" />
+        <!-- unicode characters -->
+        <RegExpr attribute="String" String="\\u[0-9A-Fa-f]{4}" />
+        <!-- badly formed unicode character -->
+        <RegExpr attribute="Error" String="\\u[0-9A-Fa-f]{0,3}(?![0-9A_Fa-f])" />
+        <!-- badly formed escape -->
+        <RegExpr attribute="Error" String="\\[^u0rnt\\'&quot;]" />
+        <!-- unescaped quote ends string -->
+        <DetectChar attribute="String" char="&quot;" context="#pop" />
+      </context>
+
+      <context name="Verbatim String" attribute="VerbatimString" lineEndContext="#stay">
+        <!-- content holds all non-quote characters -->
+        <RegExpr attribute="VerbatimString" String="[^&quot;]+" context="#stay" />
+        <!-- two double-quote chars allowed -->
+        <Detect2Chars attribute="VerbatimString" char="&quot;" char1="&quot;" context="#stay" />
+        <!-- single double-quote char ends verbatim string -->
+        <DetectChar attribute="VerbatimString" char="&quot;" context="#pop" />
+      </context>
+
+      <context name="SingleLineComment" attribute="Comment" lineEndContext="#pop"/>
+      <context name="MultiLineComment" attribute="Comment" lineEndContext="#stay">
+        <Detect2Chars attribute="Comment" context="MultiLineComment" char="/" char1="*"/>
+        <Detect2Chars attribute="Comment" context="#pop" char="*" char1="/"/>
+      </context>
+      <context name="Documentation" attribute="Comment" lineEndContext="#pop" />
+    </contexts>
+
+    <itemDatas>
+      <itemData name="Normal Text" defStyleNum="dsNormal" />
+
+      <itemData name="Keyword" defStyleNum="dsKeyword" />
+      <itemData name="Types" defStyleNum="dsDataType" />
+      <itemData name="Assertions" defStyleNum="dsOthers" />
+
+      <itemData name="Decimal" defStyleNum="dsDecVal" />
+      <itemData name="BaseN" defStyleNum="dsBaseN" />
+      <itemData name="Float" defStyleNum="dsFloat" />
+      <itemData name="Char" defStyleNum="dsChar" />
+      <itemData name="String" defStyleNum="dsString" />
+      <itemData name="VerbatimString" defStyleNum="dsVerbatimString" />
+      <itemData name="Attribute" defStyleNum="dsAttribute" />
+      <itemData name="Operators" defStyleNum="dsOperator" />
+      <itemData name="Punctuation" defStyleNum="dsSpecialChar" />
+
+      <itemData name="Comment" defStyleNum="dsComment" />
+      <itemData name="Error" defStyleNum="dsError" />
+      <itemData name="Ident" defStyleNum="dsVariable" />
+    </itemDatas>
+  </highlighting>
+
+  <general>
+    <comments>
+      <comment name="singleLine" start="//" />
+      <comment name="multiLine" start="/*" end="*/" />
+    </comments>
+    <keywords casesensitive="1" />
+  </general>
+</language>
diff --git a/v4.10.0/KDESyntaxDefinition/grammar.theme b/v4.10.0/KDESyntaxDefinition/grammar.theme
new file mode 100644
index 0000000..9ad370e
--- /dev/null
+++ b/v4.10.0/KDESyntaxDefinition/grammar.theme
@@ -0,0 +1,211 @@
+{
+    "text-color": null,
+    "background-color": "#f8f8f8",
+    "line-number-color": "#aaaaaa",
+    "line-number-background-color": null,
+    "text-styles": {
+        "Other": {
+            "text-color": "#8f5902",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Attribute": {
+            "text-color": "#707000",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "SpecialString": {
+            "text-color": "#008080",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Annotation": {
+            "text-color": "#707000",
+            "background-color": null,
+            "bold": true,
+            "italic": true,
+            "underline": false
+        },
+        "Function": {
+            "text-color": "#000000",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "String": {
+            "text-color": "#00a0a0",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "ControlFlow": {
+            "text-color": "#700000",
+            "background-color": null,
+            "bold": true,
+            "italic": false,
+            "underline": false
+        },
+        "Operator": {
+            "text-color": "#ce5c00",
+            "background-color": null,
+            "bold": true,
+            "italic": false,
+            "underline": false
+        },
+        "Punctuation": {
+            "text-color": "#8e3c00",
+            "background-color": null,
+            "bold": true,
+            "italic": false,
+            "underline": false
+        },
+        "Error": {
+            "text-color": "#000000",
+            "background-color": "#ff0000",
+            "bold": true,
+            "italic": false,
+            "underline": false
+        },
+        "BaseN": {
+            "text-color": "#0000b0",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Alert": {
+            "text-color": "#000000",
+            "background-color": "#ff0000",
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Variable": {
+            "text-color": "#000000",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Extension": {
+            "text-color": null,
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Preprocessor": {
+            "text-color": "#8f5902",
+            "background-color": null,
+            "bold": false,
+            "italic": true,
+            "underline": false
+        },
+        "Information": {
+            "text-color": "#8f5902",
+            "background-color": null,
+            "bold": true,
+            "italic": true,
+            "underline": false
+        },
+        "VerbatimString": {
+            "text-color": "#007070",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Warning": {
+            "text-color": "#8f5902",
+            "background-color": null,
+            "bold": true,
+            "italic": true,
+            "underline": false
+        },
+        "Documentation": {
+            "text-color": "#8f5902",
+            "background-color": null,
+            "bold": true,
+            "italic": true,
+            "underline": false
+        },
+        "Import": {
+            "text-color": null,
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Char": {
+            "text-color": "#00a0a0",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "DataType": {
+            "text-color": "#6000ff",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Float": {
+            "text-color": "#0000cf",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Comment": {
+            "text-color": "#00aa00",
+            "background-color": null,
+            "bold": false,
+            "italic": true,
+            "underline": false
+        },
+        "CommentVar": {
+            "text-color": "#8f5902",
+            "background-color": null,
+            "bold": true,
+            "italic": true,
+            "underline": false
+        },
+        "Constant": {
+            "text-color": "#000000",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "SpecialChar": {
+            "text-color": "#803000",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "DecVal": {
+            "text-color": "#0000cf",
+            "background-color": null,
+            "bold": false,
+            "italic": false,
+            "underline": false
+        },
+        "Keyword": {
+            "text-color": "#700000",
+            "background-color": null,
+            "bold": true,
+            "italic": false,
+            "underline": false
+        }
+    }
+}
diff --git a/v4.10.0/KDESyntaxDefinition/grammar.xml b/v4.10.0/KDESyntaxDefinition/grammar.xml
new file mode 100644
index 0000000..841d2cc
--- /dev/null
+++ b/v4.10.0/KDESyntaxDefinition/grammar.xml
@@ -0,0 +1,104 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE language SYSTEM "language.dtd">
+
+<!-- This a KDE syntax definition file for grammar displays in the
+     Dafny reference manual, used by the Rouge syntax highligher
+     when creating highlighted dafny code examples in pandoc-generated pdf files.e
+     https://docs.kde.org/trunk5/en/applications/katepart/highlight.html
+-->
+
+<language name="grammar" version="3" kateversion="5.0" section="Sources" extensions="*.dfy" author="David Cok" license="MIT">
+
+  <highlighting>
+
+    <contexts>
+      <context name="Normal" attribute="Normal Text" lineEndContext="#stay">
+         <!-- NOTE: THE ORDER OF REGEXPR RULES MATTERS:  the first match wins.
+              This fact can be used to simplify later rules,
+              at the risk of introducing errors if the rules are reordered.  -->
+
+        <!-- Either an entire attribute if it has no expressions, or just the opening and attribute name,
+             so that the expressions get their own coloring -->
+
+        <!-- Complicated set of rules to distinguish builtin types and identifiers -->
+        <RegExpr attribute="Ident" String="(?:object[?])[a-zA-Z0-9_'][a-zA-Z0-9_'?]*" />
+        <RegExpr attribute="Error" String="(?:seq|set|iset|map|imap|multiset)(?![&lt;0-9a-zA-Z_'?])" />
+        <RegExpr attribute="Error" String="(?:seq|set|iset|map|imap|multiset)(?=\s+[^&lt;])" />
+        <!-- Digit sequence ending in _ is an error -->
+        <RegExpr attribute="Error" String="[0-9]+(?:_[0-9]+)*_(?![0-9])" />
+
+        <!--      Normal quoted character, not followed by an further ident-characters, e.g. 'a' -->
+        <RegExpr attribute="Char" String="\'[^\\]\'(?![a-zA-Z0-9'_?])" />
+        <!--      Escape characters, not followed by any further ident-characters, e.g. '\n' -->
+        <RegExpr attribute="Char" String="\'\\[0ntr'&quot;\\]\'(?![a-zA-Z0-9'_?])" />
+        <!--      Unicode characters, not followed by any further ident-characters, e.g. '\u5555' -->
+        <RegExpr attribute="Char" String="\'\\u[0-9A-Fa-f]{4}\'(?![a-zA-Z0-9'_?])" />
+        <!--      Malformed unicode is an identifier, e.g. '\u2222X' '\u222' '\u222Z' -->
+
+        <!-- Comments must be before operators -->
+        <Detect2Chars attribute="Comment" char="/" char1="/" context="SingleLineComment" />
+        <Detect2Chars attribute="Comment" char="/" char1="*" context="MultiLineComment" />
+
+        <RegExpr attribute="Punctuation" String="[+-={}()\.\[\]]" />
+
+        <!-- Openings for quoted strings -->
+        <DetectChar attribute="String" char="&quot;" context="Quoted String" />
+
+        <RegExpr attribute="Ident" String="[a-zA-Z0-9_'?][a-zA-Z0-9_'?]*" />
+
+      </context>
+
+      <context name="Quoted String" attribute="String" lineEndContext="#pop">
+        <!-- string holds anything other than a double-quote or backslash -->
+        <RegExpr attribute="String" String="[^&quot;\\]+" />
+        <!-- standard 7 escape characters -->
+        <RegExpr attribute="String" String="\\[0nrt'&quot;\\]" />
+        <!-- unicode characters -->
+        <RegExpr attribute="String" String="\\u[0-9A-Fa-f]{4}" />
+        <!-- badly formed unicode character -->
+        <RegExpr attribute="Error" String="\\u[0-9A-Fa-f]{0,3}(?![0-9A_Fa-f])" />
+        <!-- badly formed escape -->
+        <RegExpr attribute="Error" String="\\[^u0rnt\\'&quot;]" />
+        <!-- unescaped quote ends string -->
+        <DetectChar attribute="String" char="&quot;" context="#pop" />
+      </context>
+
+      <context name="SingleLineComment" attribute="Comment" lineEndContext="#pop"/>
+      <context name="MultiLineComment" attribute="Comment" lineEndContext="#stay">
+        <Detect2Chars attribute="Comment" context="MultiLineComment" char="/" char1="*"/>
+        <Detect2Chars attribute="Comment" context="#pop" char="*" char1="/"/>
+      </context>
+      <context name="Documentation" attribute="Comment" lineEndContext="#pop" />
+    </contexts>
+
+    <itemDatas>
+      <itemData name="Normal Text" defStyleNum="dsNormal" />
+
+      <itemData name="Keyword" defStyleNum="dsKeyword" />
+      <itemData name="Types" defStyleNum="dsDataType" />
+      <itemData name="Assertions" defStyleNum="dsOthers" />
+
+      <itemData name="Decimal" defStyleNum="dsDecVal" />
+      <itemData name="BaseN" defStyleNum="dsBaseN" />
+      <itemData name="Float" defStyleNum="dsFloat" />
+      <itemData name="Char" defStyleNum="dsChar" />
+      <itemData name="String" defStyleNum="dsString" />
+      <itemData name="VerbatimString" defStyleNum="dsVerbatimString" />
+      <itemData name="Attribute" defStyleNum="dsAttribute" />
+      <itemData name="Operators" defStyleNum="dsOperator" />
+      <itemData name="Punctuation" defStyleNum="dsSpecialChar" />
+
+      <itemData name="Comment" defStyleNum="dsComment" />
+      <itemData name="Error" defStyleNum="dsError" />
+      <itemData name="Ident" defStyleNum="dsVariable" />
+    </itemDatas>
+  </highlighting>
+
+  <general>
+    <comments>
+      <comment name="singleLine" start="//" />
+      <comment name="multiLine" start="/*" end="*/" />
+    </comments>
+    <keywords casesensitive="1" />
+  </general>
+</language>
diff --git a/v4.10.0/LICENSE b/v4.10.0/LICENSE
new file mode 100644
index 0000000..cae6223
--- /dev/null
+++ b/v4.10.0/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Dafny
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/v4.10.0/OnlineTutorial/Lemmas.1.expect b/v4.10.0/OnlineTutorial/Lemmas.1.expect
new file mode 100644
index 0000000..3f137e6
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Lemmas.1.expect
@@ -0,0 +1,3 @@
+text.dfy(5,0): Error: out-parameter 'index', which is subject to definite-assignment rules, might be uninitialized at this return point
+
+Dafny program verifier finished with 1 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/Lemmas.10.expect b/v4.10.0/OnlineTutorial/Lemmas.10.expect
new file mode 100644
index 0000000..8d32067
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Lemmas.10.expect
@@ -0,0 +1,4 @@
+text.dfy(15,17): Error: a precondition for this call could not be proved
+text.dfy(5,35): Related location: this is the precondition that could not be proved
+
+Dafny program verifier finished with 6 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/Lemmas.2.expect b/v4.10.0/OnlineTutorial/Lemmas.2.expect
new file mode 100644
index 0000000..406404e
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Lemmas.2.expect
@@ -0,0 +1,4 @@
+text.dfy(10,14): Error: this invariant could not be proved to be maintained by the loop
+ Related message: loop invariant violation
+
+Dafny program verifier finished with 1 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/Lemmas.3.expect b/v4.10.0/OnlineTutorial/Lemmas.3.expect
new file mode 100644
index 0000000..741469b
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Lemmas.3.expect
@@ -0,0 +1,4 @@
+text.dfy(6,0): Error: a postcondition could not be proved on this return path
+text.dfy(5,10): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 1 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/Lemmas.4.expect b/v4.10.0/OnlineTutorial/Lemmas.4.expect
new file mode 100644
index 0000000..dfd367e
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Lemmas.4.expect
@@ -0,0 +1,4 @@
+text.dfy(6,0): Error: a postcondition could not be proved on this return path
+text.dfy(5,10): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 3 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/Lemmas.5.expect b/v4.10.0/OnlineTutorial/Lemmas.5.expect
new file mode 100644
index 0000000..03712c4
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Lemmas.5.expect
@@ -0,0 +1,4 @@
+text.dfy(3,0): Error: a postcondition could not be proved on this return path
+text.dfy(2,23): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 1 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/Lemmas.6.expect b/v4.10.0/OnlineTutorial/Lemmas.6.expect
new file mode 100644
index 0000000..ec2db90
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Lemmas.6.expect
@@ -0,0 +1,4 @@
+text.dfy(9,9): Error: a postcondition could not be proved on this return path
+text.dfy(2,23): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 1 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/Lemmas.7.expect b/v4.10.0/OnlineTutorial/Lemmas.7.expect
new file mode 100644
index 0000000..538a5b4
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Lemmas.7.expect
@@ -0,0 +1,4 @@
+text.dfy(5,0): Error: a postcondition could not be proved on this return path
+text.dfy(4,10): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 4 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/Lemmas.8.expect b/v4.10.0/OnlineTutorial/Lemmas.8.expect
new file mode 100644
index 0000000..2b357b7
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Lemmas.8.expect
@@ -0,0 +1,4 @@
+text.dfy(6,0): Error: a postcondition could not be proved on this return path
+text.dfy(5,10): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 4 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/Lemmas.9.expect b/v4.10.0/OnlineTutorial/Lemmas.9.expect
new file mode 100644
index 0000000..974e28c
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Lemmas.9.expect
@@ -0,0 +1,4 @@
+text.dfy(15,0): Error: a postcondition could not be proved on this return path
+text.dfy(14,10): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 6 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/Lemmas.md b/v4.10.0/OnlineTutorial/Lemmas.md
new file mode 100644
index 0000000..48bda03
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Lemmas.md
@@ -0,0 +1,824 @@
+---
+title: Lemmas and Induction
+---
+
+# Lemmas and Induction
+
+## Introduction
+
+Sometimes there are steps of logic required to prove a program correct,
+but they are too complex for Dafny to discover and use on its own. When
+this happens, we can often give Dafny assistance by providing a *lemma*.
+
+Lemmas are theorems used to prove another result, rather than being a
+goal in and of themselves. They allow Dafny to break the proof into two:
+prove the lemma, then use it to prove the final result; the final result
+being the correctness of the program. By splitting it in this way, you
+can prevent Dafny from trying to bite off more than it can chew. Dafny,
+like computers in general, is very good at dealing with a bunch of specific
+details and covering all the cases, but it lacks the cleverness to see
+intermediate steps that make the proof process easier.
+
+By writing and using lemmas, you can point out what these steps are
+and when to use them in a program. They are particularly important for
+inductive arguments, which are some of the hardest problems for theorem
+provers.
+
+## Searching for Zero
+
+As our first look at lemmas, we will consider a somewhat contrived example: searching
+for zero in an array. What makes this problem interesting is that the array we are
+searching in has two special properties: all elements are non-negative, and each successive
+element decreases by at most one from the previous element. In code:
+
+<!-- %check-verify Lemmas.1.expect %options -->
+```dafny
+method FindZero(a: array<int>) returns (index: int)
+  requires forall i :: 0 <= i < a.Length ==> 0 <= a[i]
+  requires forall i :: 0 < i < a.Length ==> a[i-1]-1 <= a[i]
+{
+}
+```
+
+With these requirements, we can do something clever in our search routine: we can skip
+elements. Imagine that we are traversing through the array, and we see `a[j] == 7`.
+Then we know that `6 <= a[j+1]`, `5 <= a[j+2]`, etc. In fact, the next zero can't
+be until 7 more elements in the array. So we don't even have to search for a zero until
+`a[j+a[j]]`. So we could write a loop like:
+
+<!-- %check-verify Lemmas.2.expect -->
+```dafny
+method FindZero(a: array<int>) returns (index: int)
+  requires forall i :: 0 <= i < a.Length ==> 0 <= a[i]
+  requires forall i :: 0 < i < a.Length ==> a[i-1]-1 <= a[i]
+  ensures index < 0  ==> forall i :: 0 <= i < a.Length ==> a[i] != 0
+  ensures 0 <= index ==> index < a.Length && a[index] == 0
+{
+  index := 0;
+  while index < a.Length
+    invariant 0 <= index
+    invariant forall k :: 0 <= k < index && k < a.Length ==> a[k] != 0
+  {
+    if a[index] == 0 { return; }
+    index := index + a[index];
+  }
+  index := -1;
+}
+```
+
+This code will compute the right result, but Dafny complains about the second loop invariant.
+Dafny is not convinced that skipping all those elements is justified. The reason is that the
+precondition says that each successive element decreases by at most one, but it does not say
+anything about how elements further away are related. To convince it of this fact, we need to
+use a *lemma*.
+
+## Lemmas
+
+A `lemma` is syntactially a ghost method: the desired property stated by the lemma (more
+precisely, the conclusion of the lemma) is declared as the postcondition, just like you
+would for an ordinary method.  Unlike a method, a lemma is never allowed to change the
+state.  Since a lemma is ghost, it doesn't need to be called at run time, so the compiler
+erases it before producing executable code. The lemma is present solely for its effect
+on the verification of the
+program. You may think of lemmas as heavyweight assertions, in that they are only
+necessary to help the proof of the program along. A typical lemma might look like:
+
+<!-- %no-check -->
+```dafny
+lemma Lemma(...)
+  ensures (desirable property)
+{
+  ...
+}
+```
+
+For the zero search problem, the desirable property is that none of the elements from
+`index` until `index + a[index]` can be zero. We take the array and the index
+to start from as parameters, with the usual requirements from `FindZero`:
+
+<!-- %check-verify Lemmas.3.expect -->
+```dafny
+lemma SkippingLemma(a: array<int>, j: int)
+  requires forall i :: 0 <= i < a.Length ==> 0 <= a[i]
+  requires forall i :: 0 < i < a.Length ==> a[i-1]-1 <= a[i]
+  requires 0 <= j < a.Length
+  ensures forall i :: j <= i < j + a[j] && i < a.Length ==> a[i] != 0
+{
+  //...
+}
+```
+
+The postcondition is just the desirable property that we want. The extra restriction
+on `i` is because `j + a[j]` could be past the end of the array. We only
+want to talk about indices in that range which are also indices into the array. We
+then do a crucial step: check that our lemma is sufficient to prove the loop invariant.
+By making this check before filling in the lemma body, we ensure that we are trying to
+prove the right thing. The `FindZero` method becomes:
+
+<!-- %check-verify Lemmas.4.expect  -->
+```dafny
+lemma SkippingLemma(a: array<int>, j: int)
+  requires forall i :: 0 <= i < a.Length ==> 0 <= a[i]
+  requires forall i :: 0 < i < a.Length ==> a[i-1]-1 <= a[i]
+  requires 0 <= j < a.Length
+  ensures forall i :: j <= i < j + a[j] && i < a.Length ==> a[i] != 0
+{
+  //...
+}
+method FindZero(a: array<int>) returns (index: int)
+  requires forall i :: 0 <= i < a.Length ==> 0 <= a[i]
+  requires forall i :: 0 < i < a.Length ==> a[i-1]-1 <= a[i]
+  ensures index < 0  ==> forall i :: 0 <= i < a.Length ==> a[i] != 0
+  ensures 0 <= index ==> index < a.Length && a[index] == 0
+{
+  index := 0;
+  while index < a.Length
+    invariant 0 <= index
+    invariant forall k :: 0 <= k < index && k < a.Length ==> a[k] != 0
+  {
+    if a[index] == 0 { return; }
+    SkippingLemma(a, index);
+    index := index + a[index];
+  }
+  index := -1;
+}
+```
+
+Now Dafny does not complain about the `FindZero` method, as the
+lemma's postcondition shows that the loop invariant is preserved. It does
+complain about the lemma itself, which is not surprising given that the
+body is empty. In order to get Dafny to accept the lemma, we will have to
+demonstrate that the postcondition is true. We do this like we do everything
+in Dafny: writing code.
+
+We start with the crucial property of the array, that it only decreases
+slowly. We can ask whether certain properties hold by using assertions. For
+example, we can see that Dafny knows:
+
+<!-- %check-verify -->
+```dafny
+lemma SkippingLemma(a: array<int>, j: int)
+  requires forall i :: 0 <= i < a.Length ==> 0 <= a[i]
+  requires forall i :: 0 < i < a.Length ==> a[i-1]-1 <= a[i]
+  requires 0 <= j < a.Length - 3
+  // Note: the above has been changed so that the array indices below are good.
+{
+  assert a[j  ] - 1 <= a[j+1];
+  assert a[j+1] - 1 <= a[j+2];
+  assert a[j+2] - 1 <= a[j+3];
+  // therefore:
+  assert a[j  ] - 3 <= a[j+3];
+}
+```
+
+Thus we can see that Dafny can follow along in any individual step, and can
+even chain them appropriately. But the number of steps we need to make is not
+constant: it can depend on the value of `a[j]`. But we already have a
+construct for dealing with a variable number of steps: the while loop!
+
+We can use the very same construct here to get Dafny to chain the steps
+together. We want to iterate from `j` to `j + a[j]`, keeping
+track of the lower bound as we go. We also keep track of the fact that all
+of the elements we have seen so far are not zero:
+
+<!-- %check-verify -->
+```dafny
+lemma SkippingLemma(a: array<int>, j: int)
+  requires forall i :: 0 <= i < a.Length ==> 0 <= a[i]
+  requires forall i :: 0 < i < a.Length ==> a[i-1]-1 <= a[i]
+  requires 0 <= j < a.Length
+  ensures forall k :: j <= k < j + a[j] && k < a.Length ==> a[k] != 0
+{
+  var i := j;
+  while i < j + a[j] && i < a.Length
+    invariant i < a.Length ==> a[j] - (i-j) <= a[i]
+    invariant forall k :: j <= k < i && k < a.Length ==> a[k] != 0
+  {
+    i := i + 1;
+  }
+}
+method FindZero(a: array<int>) returns (index: int)
+  requires forall i :: 0 <= i < a.Length ==> 0 <= a[i]
+  requires forall i :: 0 < i < a.Length ==> a[i-1]-1 <= a[i]
+  ensures index < 0  ==> forall i :: 0 <= i < a.Length ==> a[i] != 0
+  ensures 0 <= index ==> index < a.Length && a[index] == 0
+{
+  index := 0;
+  while index < a.Length
+    invariant 0 <= index
+    invariant forall k :: 0 <= k < index && k < a.Length ==> a[k] != 0
+  {
+    if a[index] == 0 { return; }
+    SkippingLemma(a, index);
+    index := index + a[index];
+  }
+  index := -1;
+}
+```
+
+The first invariant gives the bound on the current element, if we haven't
+run into the end of the array already. For each index past `j` (of which there are
+`i-j`), the array can be one smaller, so this value is subtracted from `a[j]`.
+This only says that the current element cannot be zero, so without the second
+invariant, Dafny would not be able to know that there were no zeros. Dafny forgets
+everything about the executions of the loop except what is given in the invariants,
+so we need to build up the fact that there were no zeros anywhere so far.
+
+That's it! The body of the loop just increments the counter. As we saw
+before, Dafny is able to figure out each step on its own, so we don't need to
+do anything further. We just needed to give it the structure of the proof it needed
+to make. Sometimes the individual steps themselves are complex enough that they need
+their own little subproofs, using either a series of assert statements or a whole
+other lemma.
+
+When working with arrays, iteration is a natural solution to many problems.
+There are some times, however, when recursion is used to define functions or
+properties. In these cases, the lemmas usually have the same recursive structure.
+To see an example of this, we will consider the problem of counting.
+
+## Counting
+
+We will count the number of `true`s in a sequence of
+`bool`s, using the `count` function, given below:
+
+<!-- %check-verify -->
+```dafny
+function count(a: seq<bool>): nat
+{
+  if |a| == 0 then 0 else
+  (if a[0] then 1 else 0) + count(a[1..])
+}
+method m()
+{
+  assert count([]) == 0;
+  assert count([true]) == 1;
+  assert count([false]) == 0;
+  assert count([true, true]) == 2;
+}
+```
+
+The code is very straightforward, but one thing to notice
+is that the function is defined recursively. Recursive functions like this are prone
+to requiring lemmas. There is a desirable property of count that we would like to be
+able to use in verifying a program that uses this function: it distributes
+over addition. By this we mean:
+
+<!-- %no-check -->
+```dafny
+forall a, b :: count(a + b) == count(a) + count(b)
+```
+
+Here, the first plus (`+`) is sequence concatenation, and the second
+is integer addition. Clearly, we can break any sequence into two sequences `a`
+and `b`, count them separately, and add the results. This is true, but Dafny
+cannot prove it directly. The problem is that the function does not split the sequence
+in this way. The function takes the first element, computes its count, then adds it to
+the rest of the sequence. If `a` is long, then it can be a while before this
+unrolling process actually reaches `count(b)`, so Dafny does not attempt to unwrap
+more than a few recursive calls. (Two, to be exact. See the paper
+_Computing with an SMT solver_ by Amin, Leino, and Rompf, TAP 2014.)
+This is an example of a property that requires a lemma to demonstrate.
+
+In our case, we have two options for the lemma: we could write the same universal quantifier
+we had above, or we could make the lemma specific to a pair of sequences `a` and `b`.
+It turns out that when we want the distributive property, we don't need the full universal property.
+We are just interested in the fact that `count(a + b) == count(a) + count(b)` for two
+*specific* `a` and `b` that are known in the program. Thus when we invoke
+the lemma to get the property, we can tell it which two sequences we are interested in. If we have
+different sequences somewhere else, we can call the method with different arguments, just
+like a regular method. It turns out that proving the full universal property, while possible,
+is more work than proving the concrete, specific case, so we will tackle this case first.
+
+Thus the lemma should take as arguments the sequences of interest, and the postcondition is
+as follows:
+
+<!-- %check-verify Lemmas.5.expect -->
+```dafny
+lemma DistributiveLemma(a: seq<bool>, b: seq<bool>)
+  ensures count(a + b) == count(a) + count(b)
+{
+}
+function count(a: seq<bool>): nat
+{
+  if |a| == 0 then 0 else
+  (if a[0] then 1 else 0) + count(a[1..])
+}
+```
+
+## Proving the Distributive Property
+
+In order to write the lemma, we have to figure out a strategy for proving it. As you can
+verify above (no pun intended), the lemma does not work yet, as otherwise a lemma would be
+unnecessary. To do this, we note that the reason that Dafny could not prove this in the
+first place is that the `count` function is defined from the start of the sequence,
+while the distributive property operates on the middle of a sequence. Thus if we can find
+a way to work from the front of the sequence, then Dafny can follow along using the definition
+of the function directly.
+Well, what is the first element of the sequence? There are a few cases, based on which (if any) of
+`a` and `b` are the empty sequence. Thus our lemma will have to consider multiple cases, a common
+trait of lemmas. We notice that if `a == []`, then `a + b == b`, regardless of what
+`b` is. Lemmas handle cases using the same thing code does to handle cases: if statements. A short
+proof of the desirable property is given using asserts below.
+
+<!-- %check-verify Lemmas.6.expect -->
+```dafny
+lemma DistributiveLemma(a: seq<bool>, b: seq<bool>)
+  ensures count(a + b) == count(a) + count(b)
+{
+  if a == [] {
+    assert a + b == b;
+    assert count(a) == 0;
+    assert count(a + b) == count(b);
+    assert count(a + b) == count(a) + count(b);
+  } else {
+    //...
+  }
+}
+function count(a: seq<bool>): nat
+{
+  if |a| == 0 then 0
+  else (if a[0] then 1 else 0) + count(a[1..])
+}
+```
+
+We can test our lemma in this case by adding a requires clause that restricts `a` to this
+case. We find that the code verifies. This means that if `a == []`, then our lemma will
+correctly prove the postcondition. In this case, only the first assertion above is necessary;
+Dafny gets the rest of the steps on its own (try it!). Now we can consider the other case, when
+`0 < |a|`.
+
+
+Our goal is to relate `count(a + b)` to `count(a)` and `count(b)`. If `a`
+is not the empty sequence, then when we employ our trick of following the definition to expand
+`count(a + b)`, we get:
+
+<!-- %check-verify -->
+```dafny
+function count(a: seq<bool>): nat
+{
+  if |a| == 0 then 0 else
+    (if a[0] then 1 else 0) + count(a[1..])
+}
+method m2(a: seq<bool>, b:seq<bool>)
+  requires |a| > 0
+{
+  assert a + b == [a[0]] + (a[1..] + b);
+  assert count(a + b) == count([a[0]]) + count(a[1..] + b);
+}
+```
+
+Notice that we get `count([a[0]])` and `a[1..]`. These two terms would also appear
+if we expanded `count(a)`. Specifically:
+
+<!-- %check-verify -->
+```dafny
+method m2(a: seq<bool>, b:seq<bool>)
+  requires |a| > 0
+{
+  assert count(a) == count([a[0]]) + count(a[1..]);
+}
+function count(a: seq<bool>): nat
+{
+  if |a| == 0 then 0 else
+    (if a[0] then 1 else 0) + count(a[1..])
+}
+```
+
+Finally, we can substitute this definition for `count(a)` into the postcondition
+to get:
+
+<!-- %no-check -->
+```dafny
+  assert count(a + b) == count(a) + count(b); // postcondition
+  assert count(a + b) == count([a[0]]) + count(a[1..]) + count(b);
+```
+
+Now this looks very similar to the expression we got after expanding `count(a + b)`.
+The only difference is that `count(a[1..] + b)` has become `count(a[1..]) + count(b)`.
+But this is exactly the property we are trying to prove!
+
+
+## Induction
+
+The argument we are trying to make is *inductive*. We can prove our goal given
+that a smaller version of the problem is true. This is precisely the concept of induction:
+use a smaller version of a problem to prove a larger one. To do this, we call the recursive
+property from within our code. It is a method, so it can be invoked whenever we need it.
+
+Dafny will assume that the recursive call satisfies the specification. This is the inductive
+hypothesis, that all recursive calls of the lemma are valid. This depends crucially on the fact that
+Dafny also proves termination. This means that eventually, the lemma won't make another recursive call. In
+this instance, this is the first branch of the if statement. If there is no recursive call, then
+the lemma must be proven directly for that case. Then each call in the stack is justified in assuming
+the lemma works for the smaller case. If Dafny did not prove the chain terminated, then the chain could
+continue forever, and the assumption for each call would not be justified.
+
+Induction in general is finding a way to build your goal
+one step at a time. Viewed another way, it is proving your goal in terms of a smaller version. The distributive
+lemma is proven by deconstructing the concatenated sequence one element at a time until the first sequence
+is entirely gone. This case is proven as a base case, and then the whole chain of deconstructions is verified.
+
+The key to making this work is that Dafny never has to consider the whole chain of calls. By checking
+termination, it can get the chain is finite. Then all it has to do is check one step. If one arbitrary step
+is valid, then the whole chain must be as well. This is the same logic that Dafny uses for loops: check that
+the invariant holds initially, and that one arbitrary step preserves it, and you have checked the whole loop,
+regardless of how many times the loop goes around. The similarity is more than superficial. Both kinds of lemmas
+(and both kinds of reasoning Dafny makes about your program) are *inductive*. It is also not surprising
+given the relationship between iteration and recursion as two means of achieving the same thing.
+
+With this in mind, we can complete the lemma by calling the lemma recursively in the else branch of the
+if statement:
+
+<!-- %check-verify -->
+```dafny
+lemma DistributiveLemma(a: seq<bool>, b: seq<bool>)
+  ensures count(a + b) == count(a) + count(b)
+{
+  if a == [] {
+    assert a + b == b;
+  } else {
+    DistributiveLemma(a[1..], b);
+    assert a + b == [a[0]] + (a[1..] + b);
+  }
+}
+function count(a: seq<bool>): nat
+{
+  if |a| == 0 then 0 else
+    (if a[0] then 1 else 0) + count(a[1..])
+}
+```
+
+Now the lemma verifies. But what if we wanted to express that every pair of sequences is related in
+this way? We must look at another use of lemmas in Dafny in order to be able to do this, which
+we will explore with another example.
+
+## Paths In a Directed Graph
+
+As a final, and more advanced, example, we will prove a property about paths in a directed graph.
+For this, we will have occasion to call a lemma universally on all sequences of nodes.
+A directed graph is composed
+of a number of `Node`s, each with some links to other `Node`s. These links are single directional,
+and the only restriction on them is that a node cannot link to itself. Nodes are defined as:
+
+<!-- %check-verify -->
+```dafny
+class Node
+{
+  // a single field giving the nodes linked to
+  var next: seq<Node>
+}
+```
+
+We represent a graph as a set of Nodes that only point to other nodes in the graph, and not to itself.
+We call such a set of nodes *closed*:
+
+<!-- %check-verify -->
+```dafny
+class Node
+{
+  // a single field giving the nodes linked to
+  var next: seq<Node>
+}
+predicate closed(graph: set<Node>)
+  reads graph
+{
+  forall i :: i in graph ==>
+    forall k :: 0 <= k < |i.next| ==> i.next[k] in graph && i.next[k] != i
+}
+```
+
+We represent a path as a nonempty sequence of nodes, where each node is linked to by the previous node in the
+path. We define two predicates, one that defines a valid path, and another that determines whether the given
+path is a valid one between two specific nodes in the graph:
+
+<!-- %check-verify -->
+```dafny
+class Node
+{
+  // a single field giving the nodes linked to
+  var next: seq<Node>
+}
+predicate closed(graph: set<Node>)
+  reads graph
+{
+  forall i :: i in graph ==>
+    forall k :: 0 <= k < |i.next| ==> i.next[k] in graph && i.next[k] != i
+}
+predicate pathSpecific(p: seq<Node>, start: Node, end: Node, graph: set<Node>)
+  requires closed(graph)
+  reads graph
+{
+  0 < |p| && // path is nonempty
+  start == p[0] && end == p[|p|-1] && // it starts and ends correctly
+  path(p, graph) // and it is a valid path
+}
+predicate path(p: seq<Node>, graph: set<Node>)
+  requires closed(graph) && 0 < |p|
+  reads graph
+{
+  p[0] in graph &&
+    (|p| > 1 ==> p[1] in p[0].next && // the first link is valid, if it exists
+                 path(p[1..], graph)) // and the rest of the sequence is a valid path
+}
+```
+
+Now we are ready to state the lemma we want to prove. We consider a graph and a *sub-graph*: a subset
+of the nodes of the graph which also forms a graph. This sub-graph must be *closed*, i.e. not contain links
+outside of itself. If we have such a situation, then there cannot be a valid path from a node in the sub-graph
+to a node outside this sub-graph. We will call this fact the Closed Lemma, which we state in Dafny as follows:
+
+<!-- %check-verify Lemmas.7.expect -->
+```dafny
+lemma ClosedLemma(subgraph: set<Node>, root: Node, goal: Node, graph: set<Node>)
+  requires closed(subgraph) && closed(graph) && subgraph <= graph
+  requires root in subgraph && goal in graph - subgraph
+  ensures !(exists p: seq<Node> :: pathSpecific(p, root, goal, graph))
+{
+  //...
+}
+class Node
+{
+  var next: seq<Node>
+}
+predicate pathSpecific(p: seq<Node>, start: Node, end: Node, graph: set<Node>)
+  requires closed(graph)
+  reads graph
+{
+  0 < |p| && // path is nonempty
+  start == p[0] && end == p[|p|-1] && // it starts and ends correctly
+  path(p, graph) // and it is a valid path
+}
+predicate path(p: seq<Node>, graph: set<Node>)
+  requires closed(graph) && 0 < |p|
+  reads graph
+{
+  p[0] in graph &&
+    (|p| > 1 ==> p[1] in p[0].next && // the first link is valid, if it exists
+                 path(p[1..], graph)) // and the rest of the sequence is a valid path
+}
+predicate closed(graph: set<Node>)
+  reads graph
+{
+  forall i :: i in graph ==> forall k :: 0 <= k < |i.next| ==> i.next[k] in graph && i.next[k] != i
+}
+```
+
+The preconditions state all the requirements: that both the graph and sub-graph are valid,
+that the root node is in the sub-graph but the goal isn't, and that everything is contained in
+the main graph. The postcondition states that there is no valid path from the root to the goal.
+Here we only prove it for a specific pair of start/end nodes.
+
+One way of proving the non-existence of something is to prove given any sequence of nodes that
+it cannot be a valid path. We can do this with, you guessed it, another lemma. This lemma will
+prove for any given sequence, that it cannot be a valid path from `root` to `goal`.
+The disproof of a path lemma looks like:
+
+<!-- %check-verify Lemmas.8.expect -->
+```dafny
+lemma DisproofLemma(p: seq<Node>, subgraph: set<Node>,
+                    root: Node, goal: Node, graph: set<Node>)
+  requires closed(subgraph) && closed(graph) && subgraph <= graph
+  requires root in subgraph && goal in graph - subgraph
+  ensures !pathSpecific(p, root, goal, graph)
+{
+}
+class Node
+{
+  var next: seq<Node>
+}
+predicate pathSpecific(p: seq<Node>, start: Node, end: Node, graph: set<Node>)
+  requires closed(graph)
+  reads graph
+{
+  0 < |p| && // path is nonempty
+  start == p[0] && end == p[|p|-1] && // it starts and ends correctly
+  path(p, graph) // and it is a valid path
+}
+predicate path(p: seq<Node>, graph: set<Node>)
+  requires closed(graph) && 0 < |p|
+  reads graph
+{
+  p[0] in graph &&
+    (|p| > 1 ==> p[1] in p[0].next && // the first link is valid, if it exists
+                 path(p[1..], graph)) // and the rest of the sequence is a valid path
+}
+predicate closed(graph: set<Node>)
+  reads graph
+{
+  forall i :: i in graph ==> forall k :: 0 <= k < |i.next| ==> i.next[k] in graph && i.next[k] != i
+}
+```
+
+The preconditions are the same as `ClosedLemma`.  To use `DisproofLemma` in `ClosedLemma`, we need
+to invoke it once for every sequence of nodes.  This can be done with Dafny's `forall` statement,
+which aggregates the effect of its body for all values of the given bound variable.
+
+<!-- %check-verify Lemmas.9.expect -->
+```dafny
+lemma ClosedLemma(subgraph: set<Node>, root: Node, goal: Node, graph: set<Node>)
+  requires closed(subgraph) && closed(graph) && subgraph <= graph
+  requires root in subgraph && goal in graph - subgraph
+  ensures !(exists p: seq<Node> :: pathSpecific(p, root, goal, graph))
+{
+  forall p {
+    DisproofLemma(p, subgraph, root, goal, graph);
+  }
+}
+lemma DisproofLemma(p: seq<Node>, subgraph: set<Node>,
+                    root: Node, goal: Node, graph: set<Node>)
+  requires closed(subgraph) && closed(graph) && subgraph <= graph
+  requires root in subgraph && goal in graph - subgraph
+  ensures !pathSpecific(p, root, goal, graph)
+{
+}
+class Node
+{
+  var next: seq<Node>
+}
+predicate pathSpecific(p: seq<Node>, start: Node, end: Node, graph: set<Node>)
+  requires closed(graph)
+  reads graph
+{
+  0 < |p| && // path is nonempty
+    start == p[0] && end == p[|p|-1] && // it starts and ends correctly
+    path(p, graph) // and it is a valid path
+}
+predicate path(p: seq<Node>, graph: set<Node>)
+  requires closed(graph) && 0 < |p|
+  reads graph
+{
+  p[0] in graph &&
+    (|p| > 1 ==> p[1] in p[0].next && // the first link is valid, if it exists
+                 path(p[1..], graph)) // and the rest of the sequence is a valid path
+}
+predicate closed(graph: set<Node>)
+  reads graph
+{
+  forall i :: i in graph ==> forall k :: 0 <= k < |i.next| ==> i.next[k] in graph && i.next[k] != i
+}
+```
+
+As you can see, this causes the `ClosedLemma` to verify, so our test of the lemma is
+successful. Thus `DisproofLemma` is strong enough, and our work is reduced to just proving
+it.
+
+There are a few different ways that a sequence of nodes can be an invalid path. If the path is empty,
+then it cannot be a valid path. Also, the first element of the path must be `root` and the last
+element needs to be `goal`. Because `root in subgraph` and `goal !in subgraph`, we must
+have `root != goal`, so the sequence must have at least two elements. To check that Dafny sees this,
+we can temporarily put preconditions on our lemma as follows:
+
+<!-- %check-verify Lemmas.10.expect -->
+```dafny
+lemma DisproofLemma(p: seq<Node>, subgraph: set<Node>,
+                    root: Node, goal: Node, graph: set<Node>)
+  requires closed(subgraph) && closed(graph) && subgraph <= graph
+  requires root in subgraph && goal in graph - subgraph
+  requires |p| < 2 || p[0] != root || p[|p|-1] != goal
+  ensures !pathSpecific(p, root, goal, graph)
+{
+}
+lemma ClosedLemma(subgraph: set<Node>, root: Node, goal: Node, graph: set<Node>)
+  requires closed(subgraph) && closed(graph) && subgraph <= graph
+  requires root in subgraph && goal in graph - subgraph
+  ensures !(exists p: seq<Node> :: pathSpecific(p, root, goal, graph))
+{
+  forall p {
+    DisproofLemma(p, subgraph, root, goal, graph);
+  }
+}
+class Node
+{
+  var next: seq<Node>
+}
+predicate pathSpecific(p: seq<Node>, start: Node, end: Node, graph: set<Node>)
+  requires closed(graph)
+  reads graph
+{
+  0 < |p| && // path is nonempty
+    start == p[0] && end == p[|p|-1] && // it starts and ends correctly
+    path(p, graph) // and it is a valid path
+}
+predicate path(p: seq<Node>, graph: set<Node>)
+  requires closed(graph) && 0 < |p|
+  reads graph
+{
+  p[0] in graph &&
+    (|p| > 1 ==> p[1] in p[0].next && // the first link is valid, if it exists
+                 path(p[1..], graph)) // and the rest of the sequence is a valid path
+}
+predicate closed(graph: set<Node>)
+  reads graph
+{
+  forall i :: i in graph ==> forall k :: 0 <= k < |i.next| ==> i.next[k] in graph && i.next[k] != i
+}
+```
+
+Note that this will cause `ClosedLemma` to stop verifying, as the lemma now only works for some
+sequences. We will ignore `ClosedLemma` until we have finished `DisproofLemma`. This verifies,
+which means that Dafny is able to prove the postcondition in these circumstances. Thus we only need to
+prove that the path is invalid when these conditions do not hold. We can use an `if` statement to express
+this:
+
+<!-- %no-check -->
+```dafny
+if 1 < |p| && p[0] == root && p[|p|-1] == goal {
+  (further proof)
+}
+```
+
+If the path is at least two elements long, the first element is `root`, and the last is
+`goal`, then we have a further proof. If these conditions are not met (that is, if the guard of
+the `if` statement is false and control continues in the implicit else branch), Dafny will prove
+the postcondition on its own (Advanced Remark: you can check this by temporarily adding
+the statement `assume false;` inside the then branch of the `if`).
+Now we just need to fill in the further proof part. In doing so, we can assume the guard condition
+of the `if` statement. We can now use the same inductive trick as above.
+
+If the sequence starts at `root` and ends at `goal`, it cannot be valid because the
+sequence must at some point have a node which is not in the previous nodes next list. When we are
+given any particular sequence like this, we can break it into two cases: either the sequence is invalid
+in the link from the first node to the second, or it is broken somewhere down the line. Just like in the
+counting example, Dafny can see that if the first to second node link is not valid, then the sequence
+cannot be a path because this mirrors the definition of `path`. Thus we only have further work to do
+if the first link is valid. We can express this with another `if` statement:
+
+<!-- %no-check -->
+```dafny
+if 1 < |p| && p[0] == root && p[|p|-1] == goal {
+  if p[1] in p[0].next {
+    (yet further proof)
+  }
+}
+```
+
+Here comes the induction. We know that `p[0] == root` and `p[1] in p[0].next`. We also know from
+the preconditions that `root in subgraph`. Thus, because `closed(subgraph)`, we know that
+`p[1] in subgraph`. These are the same conditions that we started with! What we have here is a smaller
+version of the same problem. We can just recursively call `DisproofLemma` to prove that `p[1..]` is
+not a path. This means, per the definition of `path`, that `p` cannot be a path, and the second postcondition
+is satisfied. This can be implemented as:
+
+<!-- %check-verify -->
+```dafny
+lemma DisproofLemma(p: seq<Node>, subgraph: set<Node>,
+                    root: Node, goal: Node, graph: set<Node>)
+  requires closed(subgraph) && closed(graph) && subgraph <= graph
+  requires root in subgraph && goal in graph - subgraph
+  ensures !pathSpecific(p, root, goal, graph)
+{
+  if 1 < |p| && p[0] == root && p[|p|-1] == goal {
+    if p[1] in p[0].next {
+      DisproofLemma(p[1..], subgraph, p[1], goal, graph);
+    }
+  }
+}
+lemma ClosedLemma(subgraph: set<Node>, root: Node, goal: Node, graph: set<Node>)
+  requires closed(subgraph) && closed(graph) && subgraph <= graph
+  requires root in subgraph && goal in graph - subgraph
+  ensures !(exists p: seq<Node> :: pathSpecific(p, root, goal, graph))
+{
+  forall p {
+    DisproofLemma(p, subgraph, root, goal, graph);
+  }
+}
+class Node
+{
+  var next: seq<Node>
+}
+predicate pathSpecific(p: seq<Node>, start: Node, end: Node, graph: set<Node>)
+  requires closed(graph)
+  reads graph
+{
+  0 < |p| && // path is nonempty
+    start == p[0] && end == p[|p|-1] && // it starts and ends correctly
+    path(p, graph) // and it is a valid path
+}
+predicate path(p: seq<Node>, graph: set<Node>)
+  requires closed(graph) && 0 < |p|
+  reads graph
+{
+  p[0] in graph &&
+    (|p| > 1 ==> p[1] in p[0].next && // the first link is valid, if it exists
+                 path(p[1..], graph)) // and the rest of the sequence is a valid path
+}
+predicate closed(graph: set<Node>)
+  reads graph
+{
+  forall i :: i in graph ==> forall k :: 0 <= k < |i.next| ==> i.next[k] in graph && i.next[k] != i
+}
+```
+
+Now `DisproofLemma` verifies, and with the removal of the testing preconditions, we see that
+`ClosedLemma` verifies as well. We have thus proven that there cannot be a path from inside a closed
+sub-graph to outside.
+
+The `forall` statement is useful when a lemma needs to be instantiated an unbounded number of times.
+The example showed a simple version of the `forall` statement.  For more advanced versions, see,
+for example, _Well-founded Functions and Extreme Predicates in Dafny: A Tutorial_ by Leino, IWIL-2015,
+or examples in the Dafny test suite.
+
+Always
+remember to check that your lemma is sufficient to prove what you need. Nothing is more frustrating than
+spending a while making a lemma verify, only to find out you need something stronger. This also lets you
+avoid creating a lemma with a precondition that is so restrictive that you cannot call it where you need to.
diff --git a/v4.10.0/OnlineTutorial/Modules.1.expect b/v4.10.0/OnlineTutorial/Modules.1.expect
new file mode 100644
index 0000000..7eaa7bd
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Modules.1.expect
@@ -0,0 +1,4 @@
+text.dfy(27,4): Error: assertion might not hold
+text.dfy(37,4): Error: assertion might not hold
+
+Dafny program verifier finished with 5 verified, 2 errors
diff --git a/v4.10.0/OnlineTutorial/Modules.2.expect b/v4.10.0/OnlineTutorial/Modules.2.expect
new file mode 100644
index 0000000..d910ed6
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Modules.2.expect
@@ -0,0 +1,2 @@
+text.dfy(9,11): Error: Function body type mismatch (expected A.T, got int)
+1 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/OnlineTutorial/Modules.3.expect b/v4.10.0/OnlineTutorial/Modules.3.expect
new file mode 100644
index 0000000..a3f3efa
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Modules.3.expect
@@ -0,0 +1,5 @@
+text.dfy(7,11): Error: Raised while checking export set BadSpec: Function body type mismatch (expected T, got int)
+text.dfy(4,9): Error: This export set is not consistent: BadSpec
+text.dfy(7,16): Error: Raised while checking export set BadSpec2: Type or type parameter is not declared in this scope: T (did you forget to qualify a name or declare a module import 'opened'?) (note that names in outer modules are not visible in contained modules)
+text.dfy(5,9): Error: This export set is not consistent: BadSpec2
+4 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/OnlineTutorial/Modules.4.expect b/v4.10.0/OnlineTutorial/Modules.4.expect
new file mode 100644
index 0000000..a9e7077
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Modules.4.expect
@@ -0,0 +1,3 @@
+text.dfy(10,33): Error: 'A' is not a type that can declare members
+text.dfy(10,38): Error: 'A' is not a type that can declare members
+2 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/OnlineTutorial/Modules.5.expect b/v4.10.0/OnlineTutorial/Modules.5.expect
new file mode 100644
index 0000000..18a41e0
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Modules.5.expect
@@ -0,0 +1,3 @@
+text.dfy(13,4): Error: assertion might not hold
+
+Dafny program verifier finished with 2 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/Modules.6.expect b/v4.10.0/OnlineTutorial/Modules.6.expect
new file mode 100644
index 0000000..06a00ad
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Modules.6.expect
@@ -0,0 +1,2 @@
+text.dfy(1,7): Error: module definition contains a cycle (note: parent modules implicitly depend on submodules): import A -> import B -> import A
+1 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/OnlineTutorial/Modules.7.expect b/v4.10.0/OnlineTutorial/Modules.7.expect
new file mode 100644
index 0000000..50ae88b
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Modules.7.expect
@@ -0,0 +1,4 @@
+text.dfy(4,4): Error: unresolved identifier: doIt
+text.dfy(4,8): Error: expected method call, found expression
+text.dfy(2,7): Error: not resolving module '_module' because there were errors in resolving its nested module 'M'
+3 resolution/type errors detected in text.dfy
diff --git a/v4.10.0/OnlineTutorial/Modules.md b/v4.10.0/OnlineTutorial/Modules.md
new file mode 100644
index 0000000..15c56d3
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Modules.md
@@ -0,0 +1,543 @@
+---
+title: Modules
+---
+
+# Modules
+
+## Introduction
+
+Structuring a program by breaking it into parts is an important part of creating large programs.
+In Dafny, this is accomplished via *modules*. Modules provide a way to
+group together related types, classes, methods, functions, and other modules, as well as control the scope of
+declarations.
+Modules may import each other for code reuse, and it is possible to abstract over modules to separate an implementation
+from an interface.
+
+
+## Declaring New Modules
+
+
+A new module is declared with the `module` keyword, followed by the name of the new module, and a
+pair of curly braces (`{}`) enclosing the body of the module:
+
+<!-- %no-check -->
+```dafny
+module Mod {
+  ...
+}
+```
+
+A module body can consist of anything that you could put at the toplevel. This includes classes, datatypes, types, methods, functions, etc.
+
+<!-- %check-verify -->
+```dafny
+module Mod {
+  class C {
+    var f: int
+    method m()
+  }
+  datatype Option = A(int) | B(int)
+  type T
+  method m()
+  function f(): int
+}
+```
+
+You can also put a module inside another, in a nested fashion:
+
+<!-- %check-verify -->
+```dafny
+module Mod {
+  module Helpers {
+    class C {
+      method doIt()
+      var f: int
+    }
+  }
+}
+```
+
+Then you can refer to the members of the `Helpers` module within the `Mod`
+module by prefixing them with "`Helpers.`". For example:
+
+<!-- %check-verify -->
+```dafny
+module Mod {
+  module Helpers {
+    class C {
+      constructor () { f := 0; }
+      method doIt()
+      var f: int
+    }
+  }
+  method m() {
+    var x := new Helpers.C();
+    x.doIt();
+    x.f := 4;
+  }
+}
+```
+
+Methods and functions defined at the module level are available like classes, with just the module
+name prefixing them. They are also available in the methods and functions of the classes in the same module.
+
+<!-- %check-verify -->
+```dafny
+module Mod {
+  module Helpers {
+    function addOne(n: nat): nat {
+      n + 1
+    }
+  }
+  method m() {
+    var x := 5;
+    x := Helpers.addOne(x); // x is now 6
+  }
+}
+```
+
+By default, definitions of functions (and predicates) are exposed outside of
+the module they are defined in. This can be controlled more precisely with
+export sets, as we will see in the following section. So adding
+
+<!-- %check-verify -->
+```dafny
+module Mod {
+  module Helpers {
+    function addOne(n: nat): nat {
+      n + 1
+    }
+  }
+  method m() {
+    var x := 5;
+    x := Helpers.addOne(x);
+    assert x == 6; // this will succeed
+  }
+}
+```
+
+to the end of `m()` will verify.
+
+## Importing and Exporting Modules
+
+Declaring new submodules is useful, but sometimes you want to refer to things from an existing module,
+such as a library. In this case, you can *import* one module into another. This is done via the `import`
+keyword, and there are a few different forms, each of which has a different meaning.
+The simplest kind is the *concrete import*, and has the form `import A = B`. This declaration creates a reference to the module B
+(which must already exist), and binds it to the new name A. Note this new name, i.e. `A`, is only bound in the
+module containing the `import` declaration; it does not create a global alias. For example, if `Helpers` was
+defined outside of `Mod`, then we could import it:
+
+<!-- %check-verify -->
+```dafny
+module Helpers {
+  function addOne(n: nat): nat
+  {
+    n + 1
+  }
+}
+module Mod {
+  import A = Helpers
+  method m() {
+    assert A.addOne(5) == 6;
+  }
+}
+```
+
+Note that inside `m()`, we have to use `A` instead of `Helpers`, as we bound it to a different name.
+The name `Helpers` is not available inside `m()`, as only names that have been bound inside `Mod` are available.
+In order to use the members from another module, it either has to be declared there with `module` or imported with `import`.
+
+We don't have to give `Helpers` a new name, though, if we don't want to. We can write `import Helpers = Helpers` if we want to,
+and Dafny even provides the shorthand `import Helpers` for this behavior. You can't bind two modules with the same name at the
+same time, so sometimes you have to use the `=` version to ensure the names do not clash.
+
+### Export sets
+
+By default, an `import` will give access to all declarations (and their definitions) from the imported module. To control this more precisely we can instead use `export` sets. Each `export` set may have a list of declarations from the current module, given as `provides` or `reveals`. An `export` without a name is considered the default export for that module, and is used when no set is explicitly named.
+
+<!-- %check-verify -->
+```dafny
+module Helpers {
+  export Spec provides addOne, addOne_result
+  export Body reveals addOne
+  export extends Spec
+  function addOne(n: nat): nat
+  {
+    n + 1
+  }
+  lemma addOne_result(n : nat)
+     ensures addOne(n) == n + 1
+  { }
+}
+```
+
+In this example we declare 3 export sets, the `Spec` set grants access to the `addOne` function, but since it is declared with `provides` it does not give access to its definition. The `Body` export set declares `addOne` as `reveals`, which now gives access to the body of `addOne`. Finally, the default export is given as an `extends` of `Spec`, indicating that it simply gives all the declared exports that `Spec` does.
+
+We can now choose any of these export sets when importing `Helpers` and get different views of it.
+
+<!-- %check-verify Modules.1.expect -->
+```dafny
+module Helpers {
+  export Spec provides addOne, addOne_result
+  export Body reveals addOne
+  export extends Spec
+  function addOne(n: nat): nat
+  {
+    n + 1
+  }
+  lemma addOne_result(n: nat)
+     ensures addOne(n) == n + 1
+  { }
+}
+
+module Mod1 {
+  import A = Helpers`Body
+  method m() {
+    assert A.addOne(5) == 6; // succeeds, we have access to addOne's body
+  }
+  method m2() {
+    //A.addOne_result(5); // error, addOne_result is not exported from Body
+    assert A.addOne(5) == 6;
+  }
+}
+module Mod2 {
+  import A = Helpers`Spec
+  method m() {
+    assert A.addOne(5) == 6; // fails, we don't have addOne's body
+  }
+  method m2() {
+    A.addOne_result(5);
+    assert A.addOne(5) == 6; // succeeds due to result from addOne_result
+  }
+}
+module Mod3 {
+  import A = Helpers
+  method m() {
+    assert A.addOne(5) == 6; // fails, we don't have addOne's body
+  }
+}
+```
+
+We may also use `export` sets to control which type definitions are available. All type declarations (i.e. `newtype`, `type`, `datatype`, etc.) can be exported as `provides` or `reveals`. In the former case, modules which `import` that type will treat it as an abstract type.
+
+<!-- %check-resolve Modules.2.expect -->
+```dafny
+module Helpers {
+  export provides f, T
+  export Body reveals f, T
+  type T = int
+  function f(): T { 0 }
+}
+module Mod {
+  import A = Helpers
+  function g(): A.T { 0 } // error, T is not known to be int, or even numeric
+  function h(): A.T { A.f() } // okay
+}
+```
+
+Once an `export` has been imported that `reveals` a previously abstract type, all existing uses of it are known to be the inner type.
+
+<!-- %check-verify -->
+```dafny
+module Helpers {
+  export provides f, T
+  export Body reveals f, T
+  type T = int
+  function f(): T { 0 }
+}
+module Mod {
+  import A = Helpers
+  function h(): A.T { A.f() }
+}
+module Mod2 {
+  import M = Mod
+  import A = Helpers`Body
+  function j(): int
+    ensures j() == 0 //succeeds
+  { M.h() }
+}
+```
+
+As a convenient shorthand, the special identifier "*" can be given after `provides` or `reveals` to indicate that all declarations should be either provided or revealed.
+
+<!-- %check-verify -->
+```dafny
+module A {
+   export All reveals * // reveals T, f, g
+   export Spec provides * // provides T, f, g
+   export Some provides * reveals g // provides T, f reveals g
+   type T = int
+   function f(): T { 0 }
+   function g(): int { 2 }
+}
+```
+
+We can also provide multiple exports at once to create an aggregate `import`.
+
+<!-- %check-verify -->
+```dafny
+module A {
+  export Justf reveals f
+  export JustT reveals T
+  type T = int
+  function f(): int { 0 }
+}
+module B {
+  import A`{Justf,JustT}
+  function g(): A.T { A.f() }
+}
+```
+
+### Export Consistency
+
+
+An `export` set must always present a coherent view of a module: anything that appears in an exported declaration must itself be exported. Revisiting the previous example, we could not create an `export` set that `reveals` `f` without also revealing `T`, because the return type of `f` is `T`. This is for the simple reason that we would create a type constraint `0 : T` which cannot be solved if `T` is opaque. Similarly we cannot create an export set that `provides` or `reveals` `f` if we do not also at least provide `T`.
+
+<!-- %check-resolve Modules.3.expect -->
+```dafny
+module Helpers {
+  export provides f, T // good
+  export Body reveals f, T // good
+  export BadSpec reveals f provides T // bad
+  export BadSpec2 provides f // bad
+  type T = int
+  function f(): T { 0 }
+}
+```
+
+Since we may define modules which contain both `import` and `export` declarations, we may need to export declarations from foreign modules in order to create a consistent `export` set. Declarations from foreign modules cannot be included in an `export` directly, however the `import` that provided them can.
+
+<!-- %check-resolve Modules.4.expect -->
+```dafny
+module Helpers {
+  export provides f, T
+  type T = int
+  function f(): T { 0 }
+}
+
+module Mod {
+  import A = Helpers
+  export Try1 reveals h // error
+  export Try2 reveals h provides A.f, A.T // error, can't provide these directly
+  export reveals h provides A // good
+  function h(): A.T { A.f() }
+}
+```
+
+When importing `Mod` we now also gain qualified access to what is provided in its `import A`. We may also choose to directly import these, to give them a shorter name.
+
+<!-- %check-verify -->
+```dafny
+module Helpers {
+  export provides f, T
+  type T = int
+  function f(): T { 0 }
+}
+module Mod {
+  export reveals h provides A
+  import A = Helpers
+  function h(): A.T { A.f() }
+}
+module Mod2 {
+  import M = Mod
+  import MA = M.A
+  function j(): M.A.T { M.h() }
+  function k(): MA.T { j() }
+}
+```
+
+
+## Opening Modules
+
+ Sometimes prefixing the members of the module you imported with the name is tedious and ugly, even if you select a short name when importing it.
+In this case, you can import the module as "`opened`", which causes all of its members to be available without adding the module name. The
+`opened` keyword must immediately follow `import`, if it is present. For
+example, we could write the previous `addOne` example as:
+
+<!-- %check-verify -->
+```dafny
+module Helpers {
+  function addOne(n: nat): nat
+  {
+    n + 1
+  }
+}
+module Mod {
+  import opened Helpers
+  method m() {
+    assert addOne(5) == 6;
+  }
+}
+```
+
+When opening modules, the newly bound members will have low priority, so they will be hidden by local
+definitions. This means if you define a local function called `addOne`, the function from `Helpers`
+will no longer be available under that name. When modules are opened, the original name binding is still
+present however, so you can always use the name that was bound to get to anything that is hidden.
+
+<!-- %check-verify Modules.5.expect -->
+```dafny
+module Helpers {
+  function addOne(n: nat): nat
+  {
+    n + 1
+  }
+}
+module Mod {
+  import opened Helpers
+  function addOne(n: nat): nat {
+    n + 2
+  }
+  method m() {
+    assert addOne(5) == 6; // this is now false,
+                           // as this is the function just defined
+    assert Helpers.addOne(5) == 6; // this is still true
+  }
+}
+```
+
+If you open two modules that both declare members with the same name, then neither member can
+be referred to without a module prefix, as it would be ambiguous which one was meant. Just opening
+the two modules is not an error, however, as long as you don't attempt to use members with common names.
+The `opened` keyword can be used with any kind of `import` declaration, including the *module abstraction* form.
+
+
+## Module Abstraction {#sec-module-abstraction}
+
+Sometimes, using a specific implementation is unnecessary; instead, all that is needed is a module that implements some interface.
+In that case, you can use an *abstract* module import. In Dafny, this is written `import A : B`. This means bind the name
+`A` as before, but instead of getting the exact module `B`, you get any module which is a *refinement* of `B`. Typically, the module
+`B` may have abstract type definitions, classes with bodyless methods, or otherwise be unsuitable to use directly. Because of the way refinement
+is defined, any refinement of `B` can be used safely. For example, if we start with:
+
+<!-- %check-verify -->
+```dafny
+abstract module Interface {
+  function addSome(n: nat): nat
+    ensures addSome(n) > n
+}
+abstract module Mod {
+  import A : Interface
+  method m() {
+    assert 6 <= A.addSome(5);
+  }
+}
+```
+
+then we can be more precise if we know that `addSome` actually adds exactly one. The following module has this behavior. Further, the postcondition is stronger,
+so this is actually a refinement of the `Interface` module.
+
+<!-- %check-verify -->
+```dafny
+abstract module Interface {
+  function addSome(n: nat): nat
+    ensures addSome(n) > n
+}
+abstract module Mod {
+  import A : Interface
+  method m() {
+    assert 6 <= A.addSome(5);
+  }
+}
+module Implementation refines Interface {
+  function addSome(n: nat): nat
+    ensures addSome(n) == n + 1
+  {
+    n + 1
+  }
+}
+```
+
+We can then substitute `Implementation` for `A` in a new module, by declaring a refinement of `Mod` which defines `A` to be `Implementation`.
+
+<!-- %check-verify -->
+```dafny
+abstract module Interface {
+  function addSome(n: nat): nat
+    ensures addSome(n) > n
+}
+abstract module Mod {
+  import A : Interface
+  method m() {
+    assert 6 <= A.addSome(5);
+  }
+}
+module Implementation refines Interface {
+  function addSome(n: nat): nat
+    ensures addSome(n) == n + 1
+  {
+    n + 1
+  }
+}
+module Mod2 refines Mod {
+  import A = Implementation
+  method m() {
+    // this is now provable, because we know A is Implementation
+    assert 6 == A.addSome(5);
+  }
+}
+```
+
+When you refine an abstract import into a concrete one, the concrete module must be an explicit refinement of the abstract one (i.e. declared with `refines`).
+
+
+## Module Ordering and Dependencies
+
+
+  Dafny isn't particular about which order the modules appear in, but they must follow some rules to be well formed. As a rule of thumb, there should be a way to order the modules in a program
+  such that each only refers to things defined <strong>before</strong> it in the source text. That doesn't mean the modules have to be given in that order. Dafny will figure out that order for you, assuming
+  you haven't made any circular references. For example, this is pretty clearly meaningless:
+
+<!-- %check-resolve Modules.6.expect -->
+```dafny
+import A = B
+import B = A
+```
+
+You can have import statements at the toplevel, and you can import modules defined at the same level:
+
+<!-- %check-verify -->
+```dafny
+import A = B
+method m() {
+  A.whatever();
+}
+module B {
+  method whatever() {}
+}
+```
+
+In this case, everything is well defined because we can put `B` first, followed by the `A` import, and then finally `m()`. If there is no ordering,
+then Dafny will give an error, complaining about a cyclic dependency.
+
+Note that when rearranging modules and imports, they have to be kept in the same containing module, which disallows some pathological module structures. Also, the
+imports and submodules are always considered to be first, even at the toplevel. This means that the following is not well formed:
+
+<!-- %check-resolve Modules.7.expect -->
+```dafny
+method doIt() { }
+module M {
+  method m() {
+    doIt();
+  }
+}
+```
+
+because the module `M` must come before any other kind of members, such as methods. To define global functions like this, you can put them in a module (called `Globals`, say)
+and open it into any module that needs its functionality.
+Finally, if you import via a path, such as `import A = B.C`, then this creates a dependency of `A` on `B`, as we need to know what B is (is it abstract or concrete, or a refinement?).
+
+## Name Resolution
+
+When Dafny sees something like `A.B.C`, how does it know what each part refers to? The process Dafny uses to determine what identifier sequences like this refer
+to is name resolution. Though the rules may seem complex, usually they do what you would expect. Dafny first looks up the initial identifier. Depending on what the first
+identifier refers to, the rest of the identifier is looked up in the appropriate context. The full rules are described in the [Reference Manual](../DafnyRef/DafnyRef#sec-name-resolution):
+
+* The first component is looked up in the local scope, which may be a block of a method, the declarations of a type, or the local names in a module.
+For a module, the local names include those brought in by `import opened`, though these can be shadowed by non-imported local names.
+The names brought in by an import depend on which export set is designated (perhaps by default) in the import declaration.
+* Then subsequent identifiers are looked up in the scope of the qualified name prefix interpreted so far.
+
+There are slightly modified rules for (a) the qualified names used in module import and refine declarations, (b) the name of a datatype that is the same as the name of its containing
+module, and (c) the names of datatype constructors, if they are unambiguous (they often do not need a prefixing name of the data type itself).
diff --git a/v4.10.0/OnlineTutorial/Sequences.md b/v4.10.0/OnlineTutorial/Sequences.md
new file mode 100644
index 0000000..78c6480
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Sequences.md
@@ -0,0 +1,257 @@
+---
+title: Sequences
+---
+
+# Sequences
+
+Sequences are a built-in Dafny type representing an ordered
+list. They can be used to represent many ordered collections, including lists,
+queues, stacks, etc. Sequences are an immutable value type: they cannot be
+modified once they are created. In this sense, they are similar to strings in
+languages like Java and Python, except they can be sequences of arbitrary
+types, rather than only characters. Sequence types are written:
+
+<!-- %no-check -->
+```dafny
+seq<int>
+```
+
+for a sequence of integers, for example.
+For example, this function takes a sequence as a parameter:
+
+<!-- %check-verify -->
+```dafny
+predicate sorted(s: seq<int>)
+{
+  forall i,j :: 0 <= i < j < |s| ==> s[i] <= s[j]
+}
+```
+
+The length of a sequence is written `|s|`, as in the above quantifier. Specific elements of a
+sequence are accessed using the same square bracket syntax as arrays. Note also
+that the function does not require a reads clause to access the sequence. That
+is because sequences are not stored on the heap; they are values, so functions
+don't need to declare when they are accessing them. The most powerful property
+of sequences is the fact that annotations and functions can create and
+manipulate them. For example, another way of expressing sorted-ness is
+recursive: if the first element is smaller than the rest, and the rest is
+sorted, then the whole array is sorted:
+
+<!-- %check-verify -->
+```dafny
+predicate sorted2(s: seq<int>)
+{
+  0 < |s| ==> (forall i :: 0 < i < |s| ==> s[0] <= s[i]) &&
+               sorted2(s[1..])
+}
+```
+
+
+The notation `s[1..]`
+is *slicing* the sequence. It means starting at the first element, take
+elements until you reach the end. This does not modify s, as sequences are
+immutable. Rather, it creates a new sequence which has all the same elements in
+the same order, except for the first one. This is similar to addition of
+integers in that the original values are not changed, just new ones created.
+The slice notation is:
+
+<!-- %no-check -->
+```dafny
+  s[i..j]
+```
+
+where `0 <= i <= j <= |s|`. Dafny will enforce these index bounds. The resulting sequence
+will have exactly `j-i` elements, and will start with the element `s[i]` and
+continue sequentially through the sequence, if the result is non-empty. This
+means that the element at index `j` is excluded from the slice, which mirrors the
+same half-open interval used for regular indexing.
+
+Sequences can also be constructed from their elements, using *display notation*:
+
+<!-- %check-verify -->
+```dafny
+method m() {
+  var s := [1, 2, 3];
+}
+```
+
+Here we have a integer sequence variable in some imperative
+code containing the elements 1, 2, and 3. Type inference has been used here to
+determine that the sequence is one of integers. This notation allows us to
+construct empty sequences and singleton sequences:
+
+<!-- %no-check -->
+```dafny
+  [] // the empty sequence, which can be a sequence of any type
+  [true] // a singleton sequence of type seq<bool>
+```
+
+Slice notation and display notation can be used to check
+properties of sequences:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var s := [1, 2, 3, 4, 5];
+  assert s[|s|-1] == 5; //access the last element
+  assert s[|s|-1..|s|] == [5]; //slice just the last element, as a singleton
+  assert s[1..] == [2, 3, 4, 5]; // everything but the first
+  assert s[..|s|-1] == [1, 2, 3, 4]; // everything but the last
+  assert s == s[0..] == s[..|s|] == s[0..|s|]; // the whole sequence
+}
+```
+
+By far the most common operations on sequences are getting
+the first and last elements, and getting everything but the first or last
+element, as these are often used in recursive functions, such as `sorted2`
+above. In addition to being deconstructed by being accessed or sliced, sequences
+can also be concatenated, using the plus (`+`) symbol:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var s := [1, 2, 3, 4, 5];
+  assert [1,2,3] == [1] + [2,3];
+  assert s == s + [];
+  assert forall i :: 0 <= i <= |s| ==> s == s[..i] + s[i..];
+}
+```
+
+The last assertion gives a relationship between
+concatenation and slicing. Because the slicing operation is exclusive on one
+side and inclusive on the other, the element appears in the concatenation
+exactly once, as it should. Note that the concatenation operation is
+associative:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  assert forall a: seq<int>, b: seq<int>, c: seq<int> ::
+         (a + b) + c == a + (b + c);
+}
+```
+
+but that the Z3 theorem prover will not realize this unless
+it is prompted with an assertion stating that fact (see Lemmas/Induction for
+more information on why this is necessary).
+
+Sequences also support the `in` and `!in` operators, which test
+for containment within a sequence:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var s := [1, 2, 3, 4, 5];
+  assert 5 in s;
+  assert 0 !in s;
+}
+```
+
+This also allows us an alternate means of quantifying over
+the elements of a sequence, when we don't care about the index. For example, we
+can require that a sequence only contains elements which are indices into the
+sequence:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var s := [2,3,1,0];
+  assert forall i :: i in s ==> 0 <= i < |s|;
+}
+```
+
+This is a property of each individual element of the
+sequence. If we wanted to relate multiple elements to each other, we would need
+to quantify over the indices, as in the first example.
+
+Sometimes we would like to emulate the updatable nature of
+arrays using sequences. While we can't change the original sequence, we can
+create a new sequence with the same elements everywhere except for the updated
+element:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var s := [1,2,3,4];
+  assert s[2 := 6] == [1,2,6,4];
+}
+```
+
+Of course, the index `i` has to be an index into the array. This syntax is just
+a shortcut for an operation that can be done with regular slicing and access operations.
+Can you fill in the code below that does this?
+
+<!-- %check-verify -->
+```dafny
+function update(s: seq<int>, i: int, v: int): seq<int>
+  requires 0 <= i < |s|
+  ensures update(s, i, v) == s[i := v]
+{
+  s[..i] + [v] + s[i+1..]
+  // This works by concatenating everything that doesn't
+  // change with the singleton of the new value.
+}
+```
+
+You can also form a sequence from the elements of an array. This is done
+using the same "slice" notation as above:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var a := new int[][42, 43, 44]; // 3 element array of ints
+  a[0], a[1], a[2] := 0, 3, -1;
+  var s := a[..];
+  assert s == [0, 3, -1];
+}
+```
+
+To extract just part of the array, the bounds can be given just like in a regular
+slicing operation:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var a := new int[][42, 43, 44]; // 3 element array of ints
+  a[0], a[1], a[2] := 0, 3, -1;
+  assert a[1..] == [3, -1];
+  assert a[..1] == [0];
+  assert a[1..2] == [3];
+}
+```
+
+Because sequences support `in` and `!in`, this operation gives us
+an easy way to express the "element not in array" property, turning:
+
+<!-- %no-check -->
+```dafny
+forall k :: 0 <= k < a.Length ==> elem != a[k]
+```
+
+into:
+
+<!-- %no-check -->
+```dafny
+elem !in a[..]
+```
+
+Further, bounds are easily included:
+<!-- %no-check -->
+```dafny
+forall k :: 0 <= k < i ==> elem != a[k]
+```
+
+is the same as
+
+<!-- %no-check -->
+```dafny
+elem !in a[..i]
+```
diff --git a/v4.10.0/OnlineTutorial/Sets.1.expect b/v4.10.0/OnlineTutorial/Sets.1.expect
new file mode 100644
index 0000000..1f7b778
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Sets.1.expect
@@ -0,0 +1,3 @@
+text.dfy(4,2): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/Sets.W1.expect b/v4.10.0/OnlineTutorial/Sets.W1.expect
new file mode 100644
index 0000000..f331a19
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Sets.W1.expect
@@ -0,0 +1,3 @@
+text.dfy(6,9): Warning: Could not find a trigger for this quantifier. Without a trigger, the quantifier may cause brittle verification. To silence this warning, add an explicit trigger using the {:trigger} attribute. For more information, see the section quantifier instantiation rules in the reference manual.
+
+Dafny program verifier finished with 1 verified, 0 errors
diff --git a/v4.10.0/OnlineTutorial/Sets.W2.expect b/v4.10.0/OnlineTutorial/Sets.W2.expect
new file mode 100644
index 0000000..0f54bf6
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Sets.W2.expect
@@ -0,0 +1,3 @@
+text.dfy(3,10): Warning: Could not find a trigger for this quantifier. Without a trigger, the quantifier may cause brittle verification. To silence this warning, add an explicit trigger using the {:trigger} attribute. For more information, see the section quantifier instantiation rules in the reference manual.
+
+Dafny program verifier finished with 1 verified, 0 errors
diff --git a/v4.10.0/OnlineTutorial/Sets.W3.expect b/v4.10.0/OnlineTutorial/Sets.W3.expect
new file mode 100644
index 0000000..0f54bf6
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Sets.W3.expect
@@ -0,0 +1,3 @@
+text.dfy(3,10): Warning: Could not find a trigger for this quantifier. Without a trigger, the quantifier may cause brittle verification. To silence this warning, add an explicit trigger using the {:trigger} attribute. For more information, see the section quantifier instantiation rules in the reference manual.
+
+Dafny program verifier finished with 1 verified, 0 errors
diff --git a/v4.10.0/OnlineTutorial/Sets.md b/v4.10.0/OnlineTutorial/Sets.md
new file mode 100644
index 0000000..0b01c7c
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Sets.md
@@ -0,0 +1,171 @@
+---
+title: Sets
+---
+
+# Sets
+
+Sets of various types form one of the core tools of verification for Dafny.
+Sets represent an orderless collection of elements, without repetition. Like
+sequences, sets are immutable value types. This allows them to be used easily
+in annotations, without involving the heap, as a set cannot be modified once
+it has been created. A set has the type:
+
+<!-- %no-check -->
+```dafny
+  set<int>
+```
+
+for a set of integers, for example. In general, sets can be of almost any type, including objects. Concrete sets can be specified by using display notation:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var s1 := {}; // the empty set
+  var s2 := {1, 2, 3}; // set contains exactly 1, 2, and 3
+  assert s2 == {1,1,2,3,3,3,3}; // same as before
+  assert s1 != s2;  // sets with different elements are different
+  var s3, s4 := {1,2}, {1,4};
+}
+```
+
+The set formed by the display is the expected set, containing just
+the elements specified. For the case of the empty set, the type of the
+variable `s1 above is not fully known from its initialization. However,
+later `s1` is compared to `s2`, so it must have the same type as `s2`,
+namely `set<int>`. However, in the example below, there is no such use of `s1`, 
+so the type of `s1` must be specifically stated in its declaration.
+
+Above we also see that equality is defined
+for sets. Two sets are equal if they have exactly the same elements.
+New sets can be created from existing ones using the common set operations:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var s1: set<int> := {};
+  var s2 := {1, 2, 3};
+  var s3, s4 := {1,2}, {1,4};
+  assert s2 + s4 == {1,2,3,4}; // set union
+  assert s2 * s3 == {1,2} && s2 * s4 == {1}; // set intersection
+  assert s2 - s3 == {3}; // set difference
+}
+```
+
+the union does not count repeated elements more than once. These
+operators will result in a finite set if both operands are finite,
+so they cannot generate an infinite set. Unlike the arithmetic
+operators, the set operators are always defined. In addition to set
+forming operators, there are comparison operators with their usual
+meanings:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  assert {1} <= {1, 2} && {1, 2} <= {1, 2}; // subset
+  assert {} < {1, 2} && !({1} < {1}); // strict, or proper, subset
+  assert !({1, 2} <= {1, 4}) && !({1, 4} <= {1}); // not subsets
+  assert {1, 2} == {1, 2} && {1, 3} != {1, 2}; // equality and non-equality
+}
+```
+
+Sets, like sequences, support the `in` and `!in` operators, to
+test element membership. For example:
+
+<!-- %check-verify-warn Sets.W1.expect -->
+```dafny
+method m()
+{
+  assert 5 in {1,3,4,5};
+  assert 1 in {1,3,4,5};
+  assert 2 !in {1,3,4,5};
+  assert forall x: int :: x !in {};
+}
+```
+
+Sets are used in several annotations, including reads and modifies
+clauses. In this case, they can be sets of a specific object type
+(like `Nodes` in a linked list), or they can be sets of the
+generic reference type `object`. Despite its name, this can point to
+any object or array. This is useful to bundle up all of the locations
+that a function or method might read or write when they can be different types.
+
+
+When used in a decreases clause, sets are ordered by proper subset.
+To use sets in
+decreases clauses, the successive values must be "related" in some sense, which
+usually implies that they are recursively calculated, or similar.
+
+You can test if a set is empty by comparing it to the empty set
+(`s == {}` is true if and only if `s` has no elements.)
+
+
+
+A useful way to create sets is using a set comprehension. This defines
+a new set by including `f(x)`
+in the set for all `x` of type `T` that satisfy `p(x)`:
+
+<!-- %no-check -->
+```dafny
+  set x: T | p(x) :: f(x)
+```
+
+This defines a set in a manner reminiscent of a universal quantifier (`forall`). As with quantifiers,
+the type can usually be inferred. In contrast to quantifiers, the bar syntax (`|`) is required to
+separate the predicate (`p`) from the bound variable (`x`). The type of the elements of the resulting set is
+the type of the return value of `f(x)`. The values in the constructed set are the return values of `f(x)`:
+`x` itself acts only as a bridge between the predicate `p` and the function `f`. It
+usually has the same type as the resulting set, but it does not need to. As an example:
+
+<!-- %check-verify-warn Sets.W2.expect -->
+```dafny
+method m()
+{
+  assert (set x | x in {0,1,2} :: x + 0) == {0,1,2};
+}
+```
+
+If the function is the identity, then the expression can be written with a particularly nice form:
+
+<!-- %check-verify-warn Sets.W3.expect -->
+```dafny
+method m()
+{
+  assert (set x | x in {0,1,2,3,4,5} && x < 3) == {0,1,2};
+}
+```
+
+To reason about general, non-identity functions in set comprehensions, Dafny may need some help.
+For example, the following is true, but Dafny cannot prove it:
+
+<!-- %check-verify Sets.1.expect -->
+```dafny
+method m()
+{
+  // assert {0*1, 1*1, 2*1} == {0,1,2};  // include this assertion as a lemma to prove the next line
+  assert (set x | x in {0,1,2} :: x * 1) == {0,1,2};
+}
+```
+
+To help Dafny prove this assertion, you can precede it with the assertion
+`assert {0*1, 1*1, 2*1} == {0,1,2};`. This lets Dafny figure out both assertions.
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  assert {0*1, 1*1, 2*1} == {0,1,2};  // include this assertion as a lemma to prove the next line
+  assert (set x | x in {0,1,2} :: x * 1) == {0,1,2};
+}
+```
+Without care, a set comprehension could prescribe an infinite number of elements, but a `set`
+is only allowed to have a finite number of elements. For example, if you tried writing
+`set x | x % 2 == 0` as the set of all even integers, then you would get an error.
+(If you really want an infinite set, use the `iset` type instead.
+For example, `iset x | x % 2 == 0` is legal in ghost contexts.)
+To ensure that `set` comprehensions give rise to finite sets, Dafny employs some heuristics.
+When creating sets of integers, this can be done by bounding the integers
+in at least one conjunct of the predicate (something like `0 <= x < n`). Requiring a bound
+variable to be in an existing set also works, as in `x in {0,1,2}` from above.
diff --git a/v4.10.0/OnlineTutorial/Termination.md b/v4.10.0/OnlineTutorial/Termination.md
new file mode 100644
index 0000000..68a5d1b
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/Termination.md
@@ -0,0 +1,203 @@
+---
+title: Termination
+---
+
+# Termination
+
+Dafny proves that all programs terminate. There are two
+potential sources of non-terminating (divergent) behavior: loops and recursive
+functions and methods. Dafny employs a single technique for handling either
+case, *decreases annotations*.
+
+A decreases annotation specifies a value, called the *termination measure*,
+that becomes strictly smaller each time a loop is traversed or each time a
+recursive function or method is called. This value is also bounded so that it
+cannot decrease forever. This way, if the value starts at any arbitrary finite
+value, the loop or recursion must stop. To prove this, Dafny proves that the
+termination measure gets smaller on each iteration. If Dafny cannot prove this,
+it says there is a failure to decrease termination measure. Because each kind
+of termination measure comes with a built-in lower bound, this is all Dafny
+needs to do to prove termination.
+
+There are several kinds of values that Dafny can use in
+decreases annotations, but the most common are integers. Integers have a
+natural lower bound, zero, and it is usually quite easy to prove that they
+decrease. Since many loops iterate through indices, these kinds of termination
+proofs are very common. For example, we may have the following loop:
+
+<!-- %check-verify -->
+```dafny
+method m(n: nat)
+{
+  var i := 0;
+  while i < n
+    invariant 0 <= i <= n
+  {
+    // do something interesting
+     i := i + 1;
+  }
+}
+```
+
+If we give this to Dafny, we see that it verifies
+immediately. But how did it know that this terminates? Because this is such a
+common loop form, Dafny has a special rule for guessing the termination
+measure. Dafny sees that there is no explicit decreases annotation, so it tries
+to guess one. It sees that the loop condition is a comparison of the form `A < B`,
+ for some `A` and `B`, so it makes the guess:
+
+<!-- %no-check -->
+```dafny
+  decreases B - A
+```
+
+in this case:
+
+<!-- %no-check -->
+```dafny
+  decreases n - i
+```
+
+If we add this annotation to the loop, it continues to
+verify. Dafny is actually a little less strict than requiring the termination
+measure to be bounded by zero. Really what it requires is that the loop does
+not execute again when the termination measure is negative. So we could write:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var i, n := 0, 11;
+  while i < n
+    decreases n - i
+  {
+    // do something interesting
+    i := i + 5;
+  }
+}
+```
+
+Here, on the last iteration, `i`
+becomes `15`, so the termination measure is `-4`. But here we have that the loop
+guard is false, so the loop will not be executed again. Note we had to drop the
+loop invariant, as `i` can now exceed `n`.
+
+Dafny proves the termination of the whole program, not just
+loops. To do this, it uses the same technique for recursive functions and methods.
+Dafny analyzes which functions/methods call each other, to figure out possible
+recursion. For each function/method that is possibly recursive, it requires
+either an explicit or implicit decreases annotation on the function or method.
+Most recursive functions/methods are self-recursive:
+
+<!-- %check-verify -->
+```dafny
+function fac(n: nat): nat
+{
+  if n == 0 then 1 else n * fac(n-1)
+}
+```
+
+Dafny accepts this program as is. It turns out that for most
+functions which are recursive, they just call themselves with smaller values of
+the parameters, so the parameters decreasing is the default guess. The
+decreases annotation can be made explicit by adding:
+
+<!-- %no-check -->
+```dafny
+  decreases n
+```
+
+to the function declaration.
+
+Sometimes it is beneficial to have loops which may not
+terminate, or where a proof of termination is unknown. For example, consider
+the following method:
+
+<!-- %check-verify -->
+```dafny
+method hail(N: nat)
+  decreases *
+{
+  var n := N;
+  while 1 < n
+    decreases *
+  {
+    n := if n % 2 == 0 then n / 2 else n * 3 + 1;
+  }
+}
+```
+
+
+This program terminates if and only if the Collatz
+conjecture is true, which is an open problem in mathematics, so you can't really
+expect Dafny to be able to prove termination. You could also code something like a
+stream processor, which is intended to run forever. Thus Dafny provides an
+"out," a special annotation that instructs Dafny not to attempt to prove
+termination, which is given above in the `hail` method. This can be used
+on all non-ghost loops. Note that a method containing a loop marked with
+`decreases *` must itself be marked with `decreases *`.
+
+Dafny can use values other than integers as termination
+measures. When a sequence is specified, Dafny automatically uses the length as
+a termination measure. Sets are considered smaller if one is a strict subset of
+the other, so each set must be contained in the previous. With sets, the empty
+set is as small as you can go, and sequences have natural number lengths, so
+both of these come with lower bounds. Though not terribly useful, bools and
+references can also be used in decreases clauses. (See the reference if you
+want details.) The final kind of termination measure is a tuple of the other kinds of
+measures. For example, the following implementation of the Ackermann function
+uses a pair of integers to prove termination:
+
+<!-- %check-verify -->
+```dafny
+function Ack(m: nat, n: nat): nat
+  decreases m, n
+{
+  if m == 0 then n + 1
+  else if n == 0 then Ack(m - 1, 1)
+  else Ack(m - 1, Ack(m, n - 1))
+}
+```
+
+Here the decreases clause is explicitly written out, even
+though Dafny will guess the exact same thing. A tuple uses the size comparisons
+of the component values to determine whether the measure has shrunk. In this
+case it uses two integers, but in general the different parts can be of
+different categories. The comparison works *lexicographically*.
+If the first element, in this case m, is smaller, than it doesn't matter what
+happens to the other values. They could increase, decrease, or stay the same.
+The second element is only considered if the first element doesn't change.
+If the first element does not change, the second value needs to decrease. If neither the first or second changes, then the third element
+must decrease, etc. Eventually, one of the elements must decrease. Past that
+point, any further elements are again free to increase or do whatever they
+like.
+
+In the `Ack`
+function, there are three recursive calls. In the first, `m` becomes one
+smaller, but `n` increases. This is fine because `n` comes after `m`
+in the tuple. In the second call, `m` decreases as well, so the second argument
+is allowed to be any value (which is good, because Dafny doesn't really prove
+anything about the result of the third recursive call). Dafny does need to prove that
+the third call obeys the termination measure. For this call, `m` remains the same,
+but `n` decreases, so the overall measure decreases as well.
+
+Termination applies not just to single functions/methods,
+but also to multiple mutually recursive functions/methods. For example,
+consider this pair of recursively defined parity predicates:
+
+<!-- %check-verify -->
+```dafny
+predicate even(n: nat)
+  ensures even(n) <==> n % 2 == 0
+{
+  if n == 0 then true else odd(n-1)
+}
+predicate odd(n: nat)
+  ensures odd(n) <==> n % 2 != 0
+{
+  if n == 0 then false else even(n-1)
+}
+```
+
+Dafny proves that they terminate by considering all possible
+paths through the two functions.
diff --git a/v4.10.0/OnlineTutorial/ValueTypes.md b/v4.10.0/OnlineTutorial/ValueTypes.md
new file mode 100644
index 0000000..b424423
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/ValueTypes.md
@@ -0,0 +1,565 @@
+---
+title: Collection Types
+---
+
+# Collection Types
+
+Value types are types which represent some information that does not depend on
+the state of the heap. These values have a mathematical flair: they cannot be modified
+once they are created. Examples include sequences and sets. You don't *change* a
+set the way you might change an index into an array. Rather, to insert an element into
+as set, you would construct the *union* of the original set and the singleton set
+containing the new element. The old set is still around, of course. This lack of a dependence
+on the heap makes value types especially useful in specification.
+
+This is not to say that you can't update things with value types in them. Variables that contain
+a value type can be updated to have a new value of that type. It is just that any other variables or
+fields with the same set will keep their old value. Value types can contain references to
+the heap, as in the ubiquitous `set<object>`. In this case, the information in the value type
+is *which objects are in the set*, which does not depend on the values of any fields stored in
+those objects, for example. Further, all of Dafny's value types can be stored in fields on the heap,
+and used in real code in addition to specifications. Dafny's built in value types are sets, sequences, multisets, and maps.
+
+For a complete guide to various collection types and their operations,
+see the document on the [Dafny type system](http://leino.science/papers/krml243.html).
+Note, if you want to use these types in an executing program and you
+care about performance, use Dafny's `-optimize` option when compiling.
+
+
+## Sets
+
+Sets of various types form one of the core tools of verification for Dafny.
+Sets represent an orderless collection of elements, without repetition. Like
+sequences, sets are immutable value types. This allows them to be used easily
+in annotations, without involving the heap, as a set cannot be modified once
+it has been created. A set has the type:
+
+<!-- %no-check -->
+```dafny
+  set<int>
+```
+
+for a set of integers, for example. In general, sets can be of almost any type, including objects. Concrete sets can be specified by using display notation:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var s1: set<int> := {}; // the empty set
+  var s2 := {1, 2, 3}; // set contains exactly 1, 2, and 3
+  assert s2 == {1,1,2,3,3,3,3}; // same as before
+  var s3, s4 := {1,2}, {1,4};
+}
+```
+
+The set formed by the display is the expected set, containing just
+the elements specified. Above we also see that equality is defined
+for sets. Two sets are equal if they have exactly the same elements.
+New sets can be created from existing ones using the common set operations:
+
+<!-- %check-verify -->
+```dafny
+method m ()
+{
+  var s1: set<int> := {};
+  var s2 := {1, 2, 3};
+  var s3, s4 := {1,2}, {1,4};
+  assert s2 + s4 == {1,2,3,4}; // set union
+  assert s2 * s3 == {1,2} && s2 * s4 == {1}; // set intersection
+  assert s2 - s3 == {3}; // set difference
+}
+```
+
+Note that because sets can only contain at most one of each element,
+the union does not count repeated elements more than once. These
+operators will result in a finite set if both operands are finite,
+so they cannot generate an infinite set. Unlike the arithmetic
+operators, the set operators are always defined. In addition to set
+forming operators, there are comparison operators with their usual
+meanings:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  assert {1} <= {1, 2} && {1, 2} <= {1, 2}; // subset
+  assert {} < {1, 2} && !({1} < {1}); // strict, or proper, subset
+  assert !({1, 2} <= {1, 4}) && !({1, 4} <= {1}); // not subsets
+  assert {1, 2} == {1, 2} && {1, 3} != {1, 2}; // equality and non-equality
+}
+```
+
+Sets, like sequences, support the `in` and `!in` operators, to
+test element membership. For example:
+
+<!-- %check-verify-warn Sets.W1.expect -->
+```dafny
+method m()
+{
+  assert 5 in {1,3,4,5};
+  assert 1 in {1,3,4,5};
+  assert 2 !in {1,3,4,5};
+  assert forall x: int :: x !in {};
+}
+```
+
+Sets are used in several annotations, including reads and modifies
+clauses. In this case, they can be sets of a specific object type
+(like `Nodes` in a linked list), or they can be sets of the
+generic reference type `object`. Despite its name, this can point to
+any object or array. This is useful to bundle up all of the locations
+that a function or method might read or write when they can be different types.
+
+
+When used in a decreases clause, sets are ordered by subset. This is unlike
+sequences, which are ordered by length only. In order for sets to be used in
+decreases clauses, the successive values must be "related" in some sense, which
+usually implies that they are recursively calculated, or similar.
+This requirement comes from the fact that there is no way to get the cardinality
+(size) of a set in Dafny. The size is guaranteed to be some finite natural, but it is inaccessible.
+You can test if the set is empty by comparing it to the empty set (`s == {}` is true if and
+only if `s` has no elements.)
+
+
+
+A useful way to create sets is using a set comprehension. This defines a new set by including `f(x)`
+in the set for all `x` of type `T` that satisfy `p(x)`:
+
+<!-- %no-check -->
+```dafny
+  set x: T | p(x) :: f(x)
+```
+
+This defines a set in a manner reminiscent of a universal quantifier (`forall`). As with quantifiers,
+the type can usually be inferred. In contrast to quantifiers, the bar syntax (`|`) is required to
+separate the predicate (`p`) from the bound variable (`x`). The type of the elements of the resulting set is
+the type of the return value of `f(x)`. The values in the constructed set are the return values of `f(x)`:
+`x` itself acts only as a bridge between the predicate `p` and the function `f`. It
+usually has the same type as the resulting set, but it does not need to. As an example:
+
+<!-- %check-verify-warn Sets.W2.expect -->
+```dafny
+method m()
+{
+  assert (set x | x in {0,1,2} :: x + 0) == {0,1,2};
+}
+```
+
+If the function is the identity, then the expression can be written with a particularly nice form:
+
+<!-- %check-verify-warn Sets.W3.expect -->
+```dafny
+method m()
+{
+  assert (set x | x in {0,1,2,3,4,5} && x < 3) == {0,1,2};
+}
+```
+
+General, non-identity functions in set comprehensions confuse Dafny easily. For example,
+the following is true, but Dafny cannot prove it:
+
+<!-- %check-verify  Sets.1.expect -->
+```dafny
+method m()
+{
+  // assert {0*1, 1*1, 2*1} == {0,1,2};  // include this assertion as a lemma to prove the next line
+  assert (set x | x in {0,1,2} :: x * 1) == {0,1,2};
+}
+```
+
+This mechanism has the potential to create an infinite set, which is not allowed in Dafny.
+To prevent this, Dafny employs heuristics in an attempt to prove that that the resulting
+set will be finite. When creating sets of integers, this can be done by bounding the integers
+in at least one clause of the predicate (something like `0 <= x < n`). Requiring a bound
+variable to be in an existing set also works, as in `x in {0,1,2}` from above. This works
+only when the inclusion part is conjuncted (`&&`'ed) with the rest of the predicate, as it
+needs to limit the possible values to consider.
+
+## Sequences
+
+Sequences are a built-in Dafny type representing an ordered
+list. They can be used to represent many ordered collections, including lists,
+queues, stacks, etc. Sequences are an immutable value type: they cannot be
+modified once they are created. In this sense, they are similar to strings in
+languages like Java and Python, except they can be sequences of arbitrary
+types, rather than only characters. Sequence types are written:
+
+<!-- %no-check -->
+```dafny
+  seq<int>
+```
+
+for a sequence of integers, for example. 
+For example, this function takes a sequence as a parameter:
+
+<!-- %check-verify -->
+```dafny
+predicate sorted(s: seq<int>)
+{
+  forall i,j :: 0 <= i < j < |s| ==> s[i] <= s[j]
+}
+```
+
+The length of a sequence is written `|s|`, as in the above quantifier. Specific elements of a
+sequence are accessed using the same square bracket syntax as arrays. Note also
+that the function does not require a reads clause to access the sequence. That
+is because sequences are not stored on the heap; they are values, so functions
+don't need to declare when they are accessing them. The most powerful property
+of sequences is the fact that annotations and functions can create and
+manipulate them. For example, another way of expressing sorted-ness is
+recursive: if the first element is smaller than the rest, and the rest is
+sorted, then the whole array is sorted:
+
+<!-- %check-verify -->
+```dafny
+predicate sorted2(s: seq<int>)
+{
+  0 < |s| ==> (forall i :: 0 < i < |s| ==> s[0] <= s[i]) &&
+               sorted2(s[1..])
+}
+```
+
+
+The notation `s[1..]`
+is *slicing* the sequence. It means starting at the first element, take
+elements until you reach the end. This does not modify s, as sequences are
+immutable. Rather, it creates a new sequence which has all the same elements in
+the same order, except for the first one. This is similar to addition of
+integers in that the original values are not changed, just new ones created.
+The slice notation is:
+
+<!-- %no-check -->
+```dafny
+  s[i..j]
+```
+
+where `0 <= i <= j <= |s|`. Dafny will enforce these index bounds. The resulting sequence
+will have exactly `j-i` elements, and will start with the element `s[i]` and
+continue sequentially through the sequence, if the result is non-empty. This
+means that the element at index `j` is excluded from the slice, which mirrors the
+same half-open interval used for regular indexing.
+
+Sequences can also be constructed from their elements, using *display notation*:
+
+<!-- %check-verify -->
+```dafny
+method m() {
+  var s := [1, 2, 3];
+}
+```
+
+Here we have a integer sequence variable in some imperative
+code containing the elements 1, 2, and 3. Type inference has been used here to
+determine that the sequence is one of integers. This notation allows us to
+construct empty sequences and singleton sequences:
+
+<!-- %no-check -->
+```dafny
+  [] // the empty sequence, which can be a sequence of any type
+  [true] // a singleton sequence of type seq<bool>
+```
+
+Slice notation and display notation can be used to check
+properties of sequences:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var s := [1, 2, 3, 4, 5];
+  assert s[|s|-1] == 5; //access the last element
+  assert s[|s|-1..|s|] == [5]; //slice just the last element, as a singleton
+  assert s[1..] == [2, 3, 4, 5]; // everything but the first
+  assert s[..|s|-1] == [1, 2, 3, 4]; // everything but the last
+  assert s == s[0..] == s[..|s|] == s[0..|s|]; // the whole sequence
+}
+```
+
+By far the most common operations on sequences are getting
+the first and last elements, and getting everything but the first or last
+element, as these are often used in recursive functions, such as `sorted2`
+above. In addition to being deconstructed by being accessed or sliced, sequences
+can also be concatenated, using the plus (`+`) symbol:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var s := [1, 2, 3, 4, 5];
+  assert [1,2,3] == [1] + [2,3];
+  assert s == s + [];
+  assert forall i :: 0 <= i <= |s| ==> s == s[..i] + s[i..];
+}
+```
+
+The last assertion gives a relationship between
+concatenation and slicing. Because the slicing operation is exclusive on one
+side and inclusive on the other, the `i`th element appears in the concatenation
+exactly once, as it should. Note that the concatenation operation is
+associative:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  assert forall a: seq<int>, b: seq<int>, c: seq<int> ::
+    (a + b) + c == a + (b + c);
+}
+```
+
+but that the Z3 theorem prover will not realize this unless
+it is prompted with an assertion stating that fact (see Lemmas/Induction for
+more information on why this is necessary).
+
+Sequences also support the `in` and `!in` operators, which test
+for containment within a sequence:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var s := [1, 2, 3, 4, 5];
+  assert 5 in s;
+  assert 0 !in s;
+}
+```
+
+This also allows us an alternate means of quantifying over
+the elements of a sequence, when we don't care about the index. For example, we
+can require that a sequence only contains elements which are indices into the
+sequence:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var s := [2,3,1,0];
+  assert forall i :: i in s ==> 0 <= i < |s|;
+}
+```
+
+This is a property of each individual element of the
+sequence. If we wanted to relate multiple elements to each other, we would need
+to quantify over the indices, as in the first example.
+
+Sometimes we would like to emulate the updatable nature of
+arrays using sequences. While we can't change the original sequence, we can
+create a new sequence with the same elements everywhere except for the updated
+element:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var s := [1,2,3,4];
+  assert s[2 := 6] == [1,2,6,4];
+}
+```
+
+Of course, the index `i` has to be an index into the array. This syntax is just
+a shortcut for an operation that can be done with regular slicing and access operations.
+Can you fill in the code below that does this?
+
+<!-- %check-verify -->
+```dafny
+function update(s: seq<int>, i: int, v: int): seq<int>
+  requires 0 <= i < |s|
+  ensures update(s, i, v) == s[i := v]
+{
+  s[..i] + [v] + s[i+1..]
+  // This works by concatenating everything that doesn't
+  // change with the singleton of the new value.
+}
+```
+
+You can also form a sequence from the elements of an array. This is done
+using the same "slice" notation as above:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var a := new int[][42,43,44]; // 3 element array of ints
+  a[0], a[1], a[2] := 0, 3, -1;
+  var s := a[..];
+  assert s == [0, 3, -1];
+}
+```
+
+To extract just part of the array, the bounds can be given just like in a regular
+slicing operation:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var a := new int[][42,43,44]; // 3 element array of ints
+  a[0], a[1], a[2] := 0, 3, -1;
+  assert a[1..] == [3, -1];
+  assert a[..1] == [0];
+  assert a[1..2] == [3];
+}
+```
+
+Because sequences support `in` and `!in`, this operation gives us
+an easy way to express the "element not in array" property, turning:
+
+<!-- %no-check -->
+```dafny
+forall k :: 0 <= k < a.Length ==> elem != a[k]
+```
+
+into:
+
+<!-- %no-check -->
+```dafny
+elem !in a[..]
+```
+
+Further, bounds are easily included:
+
+<!-- %no-check -->
+```dafny
+forall k :: 0 <= k < i ==> elem != a[k]
+```
+
+is the same as
+
+<!-- %no-check -->
+```dafny
+elem !in a[..i]
+```
+
+## Multisets
+
+Multisets are like sets in almost every way, except that they keep track of how
+many copies of each element they have. This makes them particularly useful for storing
+the set of elements in an array, for example, where the number of copies of each element is the same.
+The multiset type is almost the same as sets:
+
+<!-- %no-check -->
+```dafny
+  multiset<int>
+```
+
+Similarly, to give a multiset literal, you write curly braces, except preceeded by the `multiset` keyword:
+
+<!-- %no-check -->
+```dafny
+  multiset{3,5,7,3}
+```
+
+Be careful! `multiset({3,3})` is not a multiset literal with two 3's. The braces have to be
+adjacent to the keyword for it to work as you would expect.
+
+Like sets, multisets are unordered. However, because they keep track of how many of each
+element they have, the above literal actually has two 3's in it.
+
+Many of the operations defined on sets are also available for multisets. You can use `in` to
+test whether some element is in a multiset (in means that it has at least one member of the given value). Multiset sum
+(`+`) means take elements from both, and add them up. So if one multiset has two 3's and another has one, then their multiset
+sum would have a total of three 3's. The multiset difference (`-`) works similarly, in that the multiplicity of the elements
+(i.e. how many of each element are in the multiset) matters. So the following:
+
+<!-- %check-verify -->
+```dafny
+method test()
+{
+  assert (multiset{1,1,1} - multiset{1,1}) == multiset{1};
+}
+```
+
+holds, because we start with three 1's, then take away two to be left with one.
+
+Multiset disjoint (`!!`) works as expected: it is true if and only if the two multisets have no members in common.
+Also, two multisets are equal if they have exactly the same count of each element.
+
+
+Finally, multisets can be created from both sequences and sets by using multiset with parentheses:
+
+<!-- %check-verify -->
+```dafny
+method test()
+{
+  assert multiset([1,1]) == multiset{1,1};
+  assert multiset({1,1}) == multiset{1};
+}
+```
+
+Both of these assertions are correct because the multiset of a sequence considers each element seperately,
+whereas a set only has at most one of each element. Dafny lets you write `{1,1}`, but this is the same
+as `{1}`, because duplicates are ignored. Thus when making a multiset from a set, each element in the
+multiset will have multiplicity exactly one. Making multisets from sequences is particularly useful, as when
+combined with the slice of an array, allows you to talk about the set of elements in an array (as in `multiset(a[..])`),
+which is very helpful in verifying sorting algorithms and some data structures.
+
+
+## Maps
+
+Maps in Dafny represent *associative arrays*. Unlike the other types so far, they take two types:
+the *key* type, and the *value* type.
+Values can be retrieved, or looked up, based on the key. A map type is written:
+
+<!-- %no-check -->
+```dafny
+  map<U, V>
+```
+
+where `U` is the key type and `V` is the value type. For example, we can have a map from integers
+to integers as `map<int, int>`. A literal of this type might be `map[4 := 5, 5 := 6]`. This map
+associates 4 with 5 and 5 with 6. You can access the value for a given key with `m[key]`, if `m` is a
+map and `key` is a key. So we could write:
+
+<!-- %check-verify -->
+```dafny
+method test() {
+  var m := map[4 := 5, 5 := 6];
+  assert m[4] == 5;
+}
+```
+
+This is because 4, taken as a key into `m`, produces 5. We also know that `m[5] == 6`, as this is
+the other mapping.
+
+Each map has a *domain*, which are all of the keys for which that map has values. It is not well formed
+to ask a map for keys outside its domain. So `m[7]` doesn't make any sense, because `m` does not define
+any value for 7. To test whether a key is in the domain of a map, you can use the `in` operator. For example,
+`4 in m` and `5 in m`, but `7 !in m`. With quantifiers, you can say that the domain is some set, as
+in `forall i :: i in m <==> 0 <= i < 100` (which is true when `m`'s domain is exactly the numbers 0-99).
+In addition, two maps are disjoint (`!!`) if their domains taken as sets are disjoint.
+
+
+If `m` is a map, then `m[i := j]` is a new map which is the result of adding `i` to the domain of `m` and
+then associating the key `i` with the value `j`. If `i` already had a value, then it is overridden in
+the new map. This also means that when using map literals, it is permissible to repeat a key, but then the first value will be
+overridden. So `map[3 := 5, 3 := 4] == map[3 := 4]`. Note that two maps are equal if they have the same domain, and they
+map equal keys to equal values. Also, the domain of a map must always be finite.
+
+Like sets, maps have a map comprehension. The syntax is almost the same as for sets:
+
+<!-- %no-check -->
+```dafny
+map i: T | p(i) :: f(i)
+```
+
+The difference is that `i` is the key, and it is mapped to `f(i)`. `p(i)` is used to determine what the domain
+of the new map is. So:
+
+<!-- %check-verify -->
+```dafny
+method test() {
+  var m := map i | 0 <= i < 10 :: 2*i;
+}
+```
+
+is a map which takes the numbers 0-9 to their doubles. This is also how you can remove a key from a map. For example, this expression
+removes the key 3 from an `int` to `int` map `m`:
+
+<!-- %check-verify -->
+```dafny
+method test() {
+  var m := map[3 := 5, 4 := 6, 1 := 4];
+  var l := map i | i in m && i != 3 :: m[i];
+  assert l == map[4:= 6, 1 := 4];
+}
+```
diff --git a/v4.10.0/OnlineTutorial/guide.1.expect b/v4.10.0/OnlineTutorial/guide.1.expect
new file mode 100644
index 0000000..465351d
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.1.expect
@@ -0,0 +1,3 @@
+text.dfy(4,0): Error: out-parameter 'y', which is subject to definite-assignment rules, might be uninitialized at this return point
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/guide.10.expect b/v4.10.0/OnlineTutorial/guide.10.expect
new file mode 100644
index 0000000..6a7d67a
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.10.expect
@@ -0,0 +1,14 @@
+text.dfy(7,0): Error: a postcondition could not be proved on this return path
+text.dfy(4,12): Related location: this is the postcondition that could not be proved
+text.dfy(7,0): Error: a postcondition could not be proved on this return path
+text.dfy(5,23): Related location: this is the postcondition that could not be proved
+text.dfy(7,0): Error: a postcondition could not be proved on this return path
+text.dfy(6,22): Related location: this is the postcondition that could not be proved
+text.dfy(16,0): Error: a postcondition could not be proved on this return path
+text.dfy(13,12): Related location: this is the postcondition that could not be proved
+text.dfy(16,0): Error: a postcondition could not be proved on this return path
+text.dfy(14,23): Related location: this is the postcondition that could not be proved
+text.dfy(16,0): Error: a postcondition could not be proved on this return path
+text.dfy(15,22): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 0 verified, 6 errors
diff --git a/v4.10.0/OnlineTutorial/guide.11.expect b/v4.10.0/OnlineTutorial/guide.11.expect
new file mode 100644
index 0000000..6b872c1
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.11.expect
@@ -0,0 +1,5 @@
+text.dfy(9,0): Error: a postcondition could not be proved on this return path
+text.dfy(8,12): Related location: this is the postcondition that could not be proved
+text.dfy(11,0): Error: out-parameter 'b', which is subject to definite-assignment rules, might be uninitialized at this return point
+
+Dafny program verifier finished with 1 verified, 2 errors
diff --git a/v4.10.0/OnlineTutorial/guide.12.expect b/v4.10.0/OnlineTutorial/guide.12.expect
new file mode 100644
index 0000000..e513b84
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.12.expect
@@ -0,0 +1,3 @@
+text.dfy(9,2): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/guide.13.expect b/v4.10.0/OnlineTutorial/guide.13.expect
new file mode 100644
index 0000000..a3a11e7
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.13.expect
@@ -0,0 +1,6 @@
+text.dfy(5,21): Error: this loop invariant could not be proved on entry
+ Related message: loop invariant violation
+text.dfy(5,21): Error: this invariant could not be proved to be maintained by the loop
+ Related message: loop invariant violation
+
+Dafny program verifier finished with 0 verified, 2 errors
diff --git a/v4.10.0/OnlineTutorial/guide.14.expect b/v4.10.0/OnlineTutorial/guide.14.expect
new file mode 100644
index 0000000..5218101
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.14.expect
@@ -0,0 +1,4 @@
+text.dfy(14,20): Error: this loop invariant could not be proved on entry
+ Related message: loop invariant violation
+
+Dafny program verifier finished with 1 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/guide.15.expect b/v4.10.0/OnlineTutorial/guide.15.expect
new file mode 100644
index 0000000..e7be3c6
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.15.expect
@@ -0,0 +1,4 @@
+text.dfy(9,0): Error: a postcondition could not be proved on this return path
+text.dfy(8,12): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 1 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/guide.16.expect b/v4.10.0/OnlineTutorial/guide.16.expect
new file mode 100644
index 0000000..6ddce48
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.16.expect
@@ -0,0 +1,3 @@
+text.dfy(5,16): Error: decreases expression must be bounded below by 0 at end of loop iteration
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/guide.17.expect b/v4.10.0/OnlineTutorial/guide.17.expect
new file mode 100644
index 0000000..baa44a3
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.17.expect
@@ -0,0 +1,3 @@
+text.dfy(3,9): Warning: Could not find a trigger for this quantifier. Without a trigger, the quantifier may cause brittle verification. To silence this warning, add an explicit trigger using the {:trigger} attribute. For more information, see the section quantifier instantiation rules in the reference manual.
+
+Dafny program verifier finished with 1 verified, 0 errors
diff --git a/v4.10.0/OnlineTutorial/guide.18.expect b/v4.10.0/OnlineTutorial/guide.18.expect
new file mode 100644
index 0000000..271d2cb
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.18.expect
@@ -0,0 +1,4 @@
+text.dfy(4,0): Error: a postcondition could not be proved on this return path
+text.dfy(3,24): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 1 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/guide.19.expect b/v4.10.0/OnlineTutorial/guide.19.expect
new file mode 100644
index 0000000..7baec0e
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.19.expect
@@ -0,0 +1,3 @@
+text.dfy(7,46): Error: index out of range
+
+Dafny program verifier finished with 1 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/guide.2.expect b/v4.10.0/OnlineTutorial/guide.2.expect
new file mode 100644
index 0000000..516d806
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.2.expect
@@ -0,0 +1,4 @@
+text.dfy(4,0): Error: out-parameter 'less', which is subject to definite-assignment rules, might be uninitialized at this return point
+text.dfy(4,0): Error: out-parameter 'more', which is subject to definite-assignment rules, might be uninitialized at this return point
+
+Dafny program verifier finished with 0 verified, 2 errors
diff --git a/v4.10.0/OnlineTutorial/guide.20.expect b/v4.10.0/OnlineTutorial/guide.20.expect
new file mode 100644
index 0000000..8cd4f6b
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.20.expect
@@ -0,0 +1,3 @@
+text.dfy(3,44): Error: insufficient reads clause to read array element; Consider adding 'reads a' in the enclosing predicate specification for resolution
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/guide.3.expect b/v4.10.0/OnlineTutorial/guide.3.expect
new file mode 100644
index 0000000..0874722
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.3.expect
@@ -0,0 +1,4 @@
+text.dfy(4,0): Error: a postcondition could not be proved on this return path
+text.dfy(2,15): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/guide.4.expect b/v4.10.0/OnlineTutorial/guide.4.expect
new file mode 100644
index 0000000..db9a932
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.4.expect
@@ -0,0 +1,4 @@
+text.dfy(3,0): Error: a postcondition could not be proved on this return path
+text.dfy(2,15): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/guide.5.expect b/v4.10.0/OnlineTutorial/guide.5.expect
new file mode 100644
index 0000000..db9a932
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.5.expect
@@ -0,0 +1,4 @@
+text.dfy(3,0): Error: a postcondition could not be proved on this return path
+text.dfy(2,15): Related location: this is the postcondition that could not be proved
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/guide.6.expect b/v4.10.0/OnlineTutorial/guide.6.expect
new file mode 100644
index 0000000..eec0290
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.6.expect
@@ -0,0 +1,3 @@
+text.dfy(6,0): Error: out-parameter 'c', which is subject to definite-assignment rules, might be uninitialized at this return point
+
+Dafny program verifier finished with 0 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/guide.7.expect b/v4.10.0/OnlineTutorial/guide.7.expect
new file mode 100644
index 0000000..a2e5589
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.7.expect
@@ -0,0 +1,3 @@
+text.dfy(14,2): Error: assertion might not hold
+
+Dafny program verifier finished with 1 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/guide.8.expect b/v4.10.0/OnlineTutorial/guide.8.expect
new file mode 100644
index 0000000..791d7d9
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.8.expect
@@ -0,0 +1,3 @@
+text.dfy(11,2): Error: assertion might not hold
+
+Dafny program verifier finished with 1 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/guide.9.expect b/v4.10.0/OnlineTutorial/guide.9.expect
new file mode 100644
index 0000000..29cca6b
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.9.expect
@@ -0,0 +1,3 @@
+text.dfy(10,2): Error: assertion might not hold
+
+Dafny program verifier finished with 1 verified, 1 error
diff --git a/v4.10.0/OnlineTutorial/guide.md b/v4.10.0/OnlineTutorial/guide.md
new file mode 100644
index 0000000..c148951
--- /dev/null
+++ b/v4.10.0/OnlineTutorial/guide.md
@@ -0,0 +1,1746 @@
+---
+title: "Getting Started with Dafny: A Guide"
+---
+
+# Getting Started with Dafny: A Guide
+
+(_The examples use Dafny 4 syntax._)
+
+## Introduction
+
+Dafny is a language that is designed to make it easy to
+write correct code. This means correct in the sense of not having any runtime
+errors, but also correct in actually doing what the programmer intended it to
+do. To accomplish this, Dafny relies on high-level annotations to reason about
+and prove correctness of code. The effect of a piece of code can be given abstractly,
+using a natural, high-level expression of the desired behavior, which is easier
+and less error prone to write than the implementation code itself.
+ Dafny then generates a proof that the code
+matches the annotations (assuming they are correct, of course!). Dafny lifts the
+burden of writing bug-free *code* into that of writing bug-free *annotations*.
+This is often easier than writing the code, because annotations are shorter and
+more direct. For example, the following fragment of annotation in Dafny says
+that every element of the array is strictly positive:
+
+<!-- %no-check -->
+```dafny
+forall k: int :: 0 <= k < a.Length ==> 0 < a[k]
+```
+
+This says that for all integers `k`
+that are indices into the array, the value at that index is greater than zero.
+By writing these annotations, one is confident that the code is correct.
+Further, the very act of writing the annotations can help one understand what the
+code is doing at a deeper level.
+
+In addition to proving a correspondence to user supplied
+annotations, Dafny proves that there are no run time errors, such as index out
+of bounds, null dereferences, division by zero, etc. This guarantee is a
+powerful one, and is a strong case in and of itself for the use of Dafny and
+tools like it. Dafny also proves the termination of code, except in specially
+designated loops.
+
+Let's get started writing some Dafny programs.
+
+## Methods
+
+Dafny resembles a typical imperative programming language in
+many ways. There are methods, variables, types, loops, if statements, arrays,
+integers, and more. One of the basic units of any Dafny program is the *method*.
+A method is a piece of imperative, executable code. In other languages, they
+might be called procedures, or functions, but in Dafny the term "function" is
+reserved for a different concept that we will cover later. A method is declared
+in the following way:
+
+<!-- %check-verify guide.1.expect -->
+```dafny
+method Abs(x: int) returns (y: int)
+{
+  ...
+}
+```
+
+This declares a method called "`Abs`"
+which takes a single integer parameter, called "`x`", and
+returns a single integer, called "`y`". Note that the types
+are required for each parameter and return value, and follow each name after a
+colon (`:`). Also, the return values are named, and there
+can be multiple return values, as in this code:
+
+<!-- %check-verify guide.2.expect -->
+```dafny
+method MultipleReturns(x: int, y: int) returns (more: int, less: int)
+{
+  ...
+}
+```
+
+The method body is the code contained within the braces,
+which until now has been cleverly represented as "`...`"
+(which is *not* Dafny syntax). The body consists of a
+series of *statements*, such as the familiar imperative
+assignments, `if` statements, loops, other method calls, `return` statements, etc.
+For example, the `MultipleReturns` method may be
+implemented as:
+
+<!-- %check-verify -->
+```dafny
+method MultipleReturns(x: int, y: int) returns (more: int, less: int)
+{
+  more := x + y;
+  less := x - y;
+  // comments: are not strictly necessary.
+}
+```
+
+Assignments do not use "`=`", but
+rather "`:=`". (In fact, as Dafny uses "`==`"
+for equality, there is no use of a single equals sign in Dafny expressions.) Simple statements
+must be followed by a semicolon, and whitespace and comments (`//` and `/**/`) are ignored. To
+return a value from a method, the value is assigned to one of the named return
+values sometime before a `return` statement. In fact, the return values act very
+much like local variables, and can be assigned to more than once. The input
+parameters, however, are read only. `return` statements are used when one wants
+to return before reaching the end of the body block of the method. Return
+statements can be just the `return` keyword (where the current value of the out
+parameters are used), or they can take a list of values to return. There are
+also compound statements, such as `if` statements. `if` statements do not require
+parentheses around the boolean condition, and act as one would expect:
+
+<!-- %check-verify -->
+```dafny
+method Abs(x: int) returns (y: int)
+{
+  if x < 0 {
+    return -x;
+  } else {
+    return x;
+  }
+}
+```
+
+One caveat is that they always need braces around the
+branches, even if the branch only contains a single statement (compound or
+otherwise). Here the `if` statement checks whether `x` is less than
+zero, using the familiar comparison operator syntax, and returns the absolute value as
+appropriate. (Other comparison operators are `<=`, `>`, `>=`, `!=`
+and `==`, with the expected meaning. See the reference
+for more on operators.)
+
+## Pre- and Postconditions
+
+None of what we have seen so far has any specifications: the
+code could be written in virtually any imperative language (with appropriate
+considerations for multiple return values). The real power of Dafny comes from
+the ability to annotate these methods to specify their behavior. For example,
+one property that we observe with the `Abs` method is that the result is always
+greater than or equal to zero, regardless of the input. We could put this
+observation in a comment, but then we would have no way to know whether the
+method actually had this property. Further, if someone came along and changed
+the method, we wouldn't be guaranteed that the comment was changed to match.
+With annotations, we can have Dafny prove that the property we claim of the method
+is true. There are several ways to give annotations, but some of the most
+common, and most basic, are method *pre-*
+and *postconditions*.
+
+This property of the `Abs` method, that the result is always
+non-negative, is an example of a postcondition: it is something that is true
+after the method returns. Postconditions, declared with the `ensures`
+keyword, are given as part of the method's declaration, after the return values
+(if present) and before the method body. The keyword is followed by the boolean
+expression. Like an `if` or `while`
+condition and most specifications, a postcondition is always a boolean
+expression: something that can be *true* or *false*. In
+the case of the `Abs` method, a reasonable postcondition is the following:
+
+<!-- %check-verify -->
+```dafny
+method Abs(x: int) returns (y: int)
+  ensures 0 <= y
+{
+  if x < 0 {
+    return -x;
+  } else {
+    return x;
+  }
+}
+```
+
+You can see here why return values are given names. This
+makes them easy to refer to in the postcondition of a method. When the
+expression is true, we say that the postcondition *holds*.
+The postcondition must hold for every invocation of the function, and for every
+possible return point (including the implicit one at the end of the function body).
+In this case, the only property we are expressing is that the return value is
+always at least zero.
+
+Sometimes there are multiple properties that we would like
+to establish about our code. In this case, we have two options. We can either
+join the two conditions together with the boolean "and" operator (`&&`), or
+we can write multiple `ensures` specifications. The
+latter is basically the same as the former, but it separates distinct
+properties. For example, the return value names from the `MultipleReturns`
+method might lead one to guess the following postconditions:
+
+<!-- %check-verify guide.3.expect -->
+```dafny
+method MultipleReturns(x: int, y: int) returns (more: int, less: int)
+  ensures less < x
+  ensures x < more
+{
+  more := x + y;
+  less := x - y;
+}
+```
+
+The postcondition can also be written:
+
+<!-- %check-verify guide.4.expect -->
+```dafny
+method MultipleReturns(x: int, y: int) returns (more: int, less: int)
+  ensures less < x && x < more
+{
+  more := x + y;
+  less := x - y;
+}
+```
+
+or even:
+
+<!-- %check-verify guide.5.expect -->
+```dafny
+method MultipleReturns(x: int, y: int) returns (more: int, less: int)
+  ensures less < x < more
+{
+  more := x + y;
+  less := x - y;
+}
+```
+
+because of the chaining comparison operator syntax in Dafny.
+(In general, most of the comparison operators can be chained, but only "in one
+direction", i.e. not mixing "greater than" and "less than". See the reference for
+details.)
+
+The first way of expressing the postconditions separates
+the "less" part from the "more" part, which may be desirable. Another thing to
+note is that we have included one of the input parameters in the
+postcondition. This is useful because it allows us to relate the input and
+output of the method to one another (this works because input parameters are
+read only, and so are the same at the end as they were at the beginning).
+
+Dafny actually rejects this program, claiming that the first
+postcondition does not hold (i.e. is not true). This means that Dafny wasn't
+able to prove that this annotation holds every time the method returns. In
+general, there are two main causes for Dafny verification errors: specifications
+that are inconsistent with the code, and situations where it is not "clever"
+enough to prove the required properties. Differentiating between these two
+possibilities can be a difficult task, but fortunately, Dafny and the Boogie/Z3
+system on which it is based are pretty smart, and will prove matching code and specifications
+with a minimum of fuss.
+
+In this situation, Dafny is correct in saying there is an
+error with the code. The key to the problem is that `y`
+is an integer, so it can be negative. If `y` is negative (or zero), then `more`
+can actually be smaller than or equal to `x`. Our method will not work as intended
+unless `y` is strictly larger than zero. This is precisely the idea of
+a *precondition*. A precondition is similar to a postcondition, except
+that it is something that must be true *before*
+a method is called. When you call a method, it is your job to establish (make
+true) the preconditions, something Dafny will enforce using a proof. Likewise,
+when you write a method, you get to assume the preconditions, but you must
+establish the postconditions. The caller of the method then gets to assume
+that the postconditions hold after the method returns.
+
+Preconditions have their own keyword, `requires`.
+We can give the necessary precondition to `MultipleReturns`
+as below:
+
+<!-- %check-verify -->
+```dafny
+method MultipleReturns(x: int, y: int) returns (more: int, less: int)
+  requires 0 < y
+  ensures less < x < more
+{
+  more := x + y;
+  less := x - y;
+}
+```
+
+Like postconditions, multiple preconditions can be written
+either with the boolean "and" operator (`&&`), or
+by multiple `requires` keywords. Traditionally, `requires`
+precede `ensures` in the source code, though this is not strictly necessary
+(although the order of the `requires` and `ensures` annotations with respect to
+others of the same type can sometimes matter, as we will see later). With the
+addition of this condition, Dafny now verifies the code as correct, because
+this assumption is all that is needed to guarantee the code in the method body
+is correct.
+
+**Exercise 0.**
+  *Write a method `Max` that takes two integer parameters and returns
+  their maximum. Add appropriate annotations and make sure your code
+  verifies.*
+
+<!-- %check-verify guide.6.expect -->
+```dafny
+method Max(a: int, b: int) returns (c: int)
+  // What postcondition should go here, so that the function operates as expected?
+  // Hint: there are many ways to write this.
+{
+  // fill in the code here
+}
+```
+
+Not all methods necessarily have preconditions. For
+example, the `Abs` method we have already seen is defined for all integers, and
+so has no preconditions (other than the trivial requirement that its argument
+is an integer, which is enforced by the type system). Even though it has no
+need of preconditions, the `Abs` function as it stands now is not very useful.
+To investigate why, we need to make use of another kind of annotation, the *assertion*.
+
+## Assertions
+
+Unlike pre- and postconditions, an assertion is placed
+somewhere in the middle of a method. Like the previous two annotations, an
+assertion has a keyword, `assert`, followed by the
+boolean expression and the semicolon that terminates simple
+statements. An assertion says that a particular
+expression always holds when control reaches that part of the code. For
+example, the following is a trivial use of an assertion inside a dummy method:
+
+<!-- %check-verify -->
+```dafny
+method Testing()
+{
+  assert 2 < 3;
+  // Try "asserting" something that is not true.
+  // What does Dafny output?
+}
+```
+
+Dafny proves this method correct, as `2` is always less than
+`3`. Asserts have several uses, but chief among them is checking whether your
+expectations of what is true at various points is actually true. You can use this
+to check basic arithmetical facts, as above, but they can also be used in more
+complex situations. Assertions are a powerful tool for debugging annotations,
+by checking what Dafny is able to prove about your code. For example, we can
+use it to investigate what Dafny knows about the `Abs` function.
+
+To do this, we need one more concept: local variables. Local
+variables behave exactly as you would expect, except maybe for a few issues
+with shadowing. (See the reference for details.) Local variables are declared
+with the `var` keyword, and can optionally have type
+declarations. Unlike method parameters, where types are required, Dafny can
+infer the types of local variables in almost all situations. This is an example
+of an initialized, explicitly typed variable declaration:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var x: int := 5;
+}
+```
+
+The type annotation can be dropped in this case:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var x := 5;
+}
+```
+
+Multiple variables can be declared at once:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var x, y, z: bool := 1, 2, true;
+}
+```
+
+Explicit type declarations only apply to the immediately
+preceding variable, so here the `bool` declaration only
+applies to `z`, and not `x` or `y`, which are
+both inferred to be `int`s.
+We needed variables because we want to talk about the return value of the `Abs`
+method. We cannot put `Abs` inside a specification directly, as the method could
+change memory state, among other problems. So we capture the return value of a
+call to `Abs` as follows:
+
+<!-- %check-verify -->
+```dafny
+method Abs(x: int) returns (y: int)
+  ensures 0 <= y
+{
+  if x < 0 {
+    return -x;
+  } else {
+    return x;
+  }
+}
+method Testing()
+{
+  var v := Abs(3);
+  assert 0 <= v;
+}
+```
+
+This is an example of a situation where we can ask Dafny
+what it knows about the values in the code, in this case `v`.
+We do this by adding assertions, like the one above. Every time Dafny
+encounters an assertion, it tries to prove that the condition holds for all
+executions of the code. In this example, there is only one control path through
+the method, and Dafny is able to prove the annotation easily because it is
+exactly the postcondition of the `Abs` method. `Abs` guarantees that the return
+value is non-negative, so it trivially follows that `v`, which is this value, is
+non-negative after the call to `Abs`.
+
+**Exercise 1.**
+  *Write a test method that calls your `Max` method from Exercise 0
+  and then asserts something about the result.*
+
+<!-- %check-resolve -->
+```dafny
+method Max(a: int, b:int) returns (c: int)
+  // Use your code from Exercise 0
+method Testing() {
+  // Assert some things about Max. Does it operate as you expect?
+  // If it does not, can you think of a way to fix it?
+}
+```
+
+But we know something stronger about the `Abs` method. In
+particular, for non-negative `x`, `Abs(x) == x`. Specifically, in the
+above program, the value of `v` is 3. If we try adding an assertion (or
+changing the existing one) to say:
+
+<!-- %check-verify guide.7.expect -->
+```dafny
+method Abs(x: int) returns (y: int)
+  ensures 0 <= y
+{
+  if x < 0 {
+    return -x;
+  } else {
+    return x;
+  }
+}
+method Testing()
+{
+  var v := Abs(3);
+  assert 0 <= v;
+  assert v == 3;
+}
+```
+
+we find that Dafny cannot prove our assertion, and gives an
+error. The reason this happens is that Dafny "forgets" about the body of every
+method except the one it is currently working on. This simplifies Dafny's job
+tremendously, and is one of the reasons it is able to operate at reasonable
+speeds. It also helps us reason about our programs by breaking them apart and so
+we can analyze each method in isolation (given the annotations for the other
+methods). We don't care at all what happens inside each method when we call it,
+as long as it satisfies its annotations. This works because Dafny will prove
+that all the methods satisfy their annotations, and refuse to compile our code
+until they do.
+
+For the `Abs` method, this means that the only thing Dafny
+knows in the Testing method about the value returned from `Abs` is what the postconditions
+say about it, *and nothing more*. This means that Dafny won't know the
+nice property about `Abs` and non-negative integers unless we tell it by putting
+this in the postcondition of the `Abs` method. Another way to look at it is to
+consider the method annotations (along with the type of the parameters and
+return values) as fixing the behavior of the method. Everywhere the method is
+used, we assume that it is any one of the conceivable method(s) that satisfies the pre- and
+postconditions. In the `Abs` case, we might have written:
+
+<!-- %check-verify guide.8.expect -->
+```dafny
+method Abs(x: int) returns (y: int)
+  ensures 0 <= y
+{
+  y := 0;
+}
+method Testing()
+{
+  var v := Abs(3);
+  assert 0 <= v;
+  // this still does not verify, but now it is actually not true:
+  assert v == 3;
+}
+```
+
+This method satisfies the postconditions, but clearly the
+program fragment:
+
+<!-- %check-verify guide.9.expect -->
+```dafny
+method Abs(x: int) returns (y: int)
+  ensures 0 <= y
+{
+  y := 0;
+}
+method Testing()
+{
+  var v := Abs(3);
+  assert 0 <= v;
+  assert v == 3;
+}
+```
+
+would not be true in this case. Dafny is considering, in an
+abstract way, all methods with those annotations. The mathematical absolute
+value certainly is such a method, but so are all methods that return a positive
+constant, for example. We need stronger postconditions to eliminate these
+other possibilities, and "fix" the method down to exactly the one we want. We
+can partially do this with the following:
+
+<!-- %check-verify -->
+```dafny
+method Abs(x: int) returns (y: int)
+  ensures 0 <= y
+  ensures 0 <= x ==> y == x
+{
+  if x < 0 {
+    return -x;
+  } else {
+    return x;
+  }
+}
+```
+
+This expresses exactly the property we discussed before,
+that the absolute value is the same for non-negative integers. The second
+`ensures` is expressed via the implication operator `==>`, which basically says that
+the left hand side implies the right in the mathematical sense (it binds more
+weakly than boolean "and" and comparisons, so the above says `0 <= x` implies `y == x`).
+The left and right sides must both be boolean expressions.
+
+The postcondition says that after `Abs` is called, if the
+value of `x` was non-negative, then `y`
+is equal to `x`. One caveat of the implication is that it
+is still true if the left part (the antecedent) is false. So the second
+postcondition is trivially true when `x` is negative. In
+fact, the only thing that the annotations say when `x` is
+negative is that the result, `y`, is positive. But this
+is still not enough to fix the method, so we must add another postcondition,
+to make the following complete annotation covering all cases:
+
+<!-- %check-verify -->
+```dafny
+method Abs(x: int) returns (y: int)
+  ensures 0 <= y
+  ensures 0 <= x ==> y == x
+  ensures x < 0 ==> y == -x
+{
+  if x < 0 {
+    return -x;
+  } else {
+    return x;
+  }
+}
+```
+
+These annotations are enough to require that our method
+actually computes the absolute value of `x`. These postconditions are
+not the only way to express this property. For example, this is a different,
+and somewhat shorter, way of saying the same thing:
+
+<!-- %check-verify -->
+```dafny
+method Abs(x: int) returns (y: int)
+  ensures 0 <= y && (y == x || y == -x)
+{
+  if x < 0 {
+    return -x;
+  } else {
+    return x;
+  }
+}
+```
+
+In general, there can be many ways to write down a given property. Most of the
+time it doesn't matter which one you pick, but a good choice can make it easier
+to understand the stated property and verify that it is correct.
+
+But we still have an issue: there seems to be a lot of duplication. The body of the method
+is reflected very closely in the annotations. While this is correct code, we
+want to eliminate this redundancy. As you might guess, Dafny provides a means
+of doing this: functions.
+
+**Exercise 2.**
+  *Using a precondition, change `Abs` to say it can only be called on
+  negative values. Simplify the body of `Abs` into just one return
+  statement and make sure the method still verifies.*
+
+<!-- %check-verify -->
+```dafny
+method Abs(x: int) returns (y: int)
+  // Add a precondition here.
+  ensures 0 <= y
+  ensures 0 <= x ==> y == x
+  ensures x < 0 ==> y == -x
+{
+  // Simplify the body to just one return statement
+  if x < 0 {
+    return -x;
+  } else {
+    return x;
+  }
+}
+```
+
+**Exercise 3.**
+  *Keeping the postconditions of `Abs` the same as above, change the
+  body of `Abs` to just `y := x + 2`. What precondition do you need to
+  annotate the method with in order for the verification to go
+  through? What precondition do you need if the body is `y := x + 1`?
+  What does that precondition say about when you can call the method?*
+
+<!-- %check-verify guide.10.expect -->
+```dafny
+method Abs(x: int) returns (y: int)
+  // Add a precondition here so that the method verifies.
+  // Don't change the postconditions.
+  ensures 0 <= y
+  ensures 0 <= x ==> y == x
+  ensures x < 0 ==> y == -x
+{
+  y:= x + 2;
+}
+method Abs2(x: int) returns (y: int)
+  // Add a precondition here so that the method verifies.
+  // Don't change the postconditions.
+  ensures 0 <= y
+  ensures 0 <= x ==> y == x
+  ensures x < 0 ==> y == -x
+{
+  y:= x + 1;
+}
+```
+
+## Functions
+
+<!-- %no-check -->
+```dafny
+function abs(x: int): int
+{
+  ...
+}
+```
+
+This declares a function called `abs`
+which takes a single integer, and returns an integer (the second `int`).
+Unlike a method, which can have all sorts of statements
+in its body, a function body must consist of exactly one expression, with the
+correct type. Here our body must be an integer expression. In order to
+implement the absolute value function, we need to use an *`if` expression*. An `if`
+expression is like the ternary operator in other languages.
+
+<!-- %check-verify -->
+```dafny
+function abs(x: int): int
+{
+  if x < 0 then -x else x
+}
+```
+
+Obviously, the condition must be a boolean expression, and
+the two branches must have the same type. You might wonder why anyone would
+bother with functions, if they are so limited compared to methods. The power of
+functions comes from the fact that they can be *used directly in specifications*.
+So we can write:
+
+<!-- %check-verify -->
+```dafny
+function abs(x: int): int
+{
+  if x < 0 then -x else x
+}
+method m()
+{
+  assert abs(3) == 3;
+}
+```
+
+In fact, not only can we write this statement directly
+without capturing to a local variable, we didn't even need to write any
+postconditions to caputure the behavior as we did with the method (though functions can and do have
+pre- and postconditions in general). The limitations of functions are
+precisely what enable Dafny to do this. Unlike with methods, Dafny does not forget the
+body of a function when using it. So it can expand the
+definition of `abs` in the above assertion and determine that the result is
+actually `3`.
+
+**Exercise 4.**
+  *Write a **function** `max` that returns the larger of two given
+  integer parameters. Write a test method using an `assert` that
+  checks that your function is correct.*
+
+<!-- %check-resolve -->
+```dafny
+function max(a: int, b: int): int
+{
+  0 // Fill in an expression here.
+}
+method Testing() {
+  // Add assertions to check max here.
+}
+```
+
+**Exercise 5.**
+  *Now that we have an `abs` function, change the postcondition of
+  method `Abs` to make use of `abs`. After confirming the method still
+  verifies, change the body of `Abs` to also use `abs`. (After doing
+  this, you will realize there is not much point in having a method
+  that does exactly the same thing as a function.)*
+
+<!-- %check-verify -->
+```dafny
+function abs(x: int): int
+{
+  if x < 0 then -x else x
+}
+method Abs(x: int) returns (y: int)
+  // Use abs here, then confirm the method still verifies.
+{
+  // Then change this body to also use abs.
+  if x < 0 {
+    return -x;
+  } else {
+    return x;
+  }
+}
+```
+
+Unlike methods, functions can appear in expressions. Thus we
+can do something like implement the mathematical Fibonacci function:
+
+<!-- %check-verify -->
+```dafny
+function fib(n: nat): nat
+{
+  if n == 0 then 0
+  else if n == 1 then 1
+  else fib(n - 1) + fib(n - 2)
+}
+```
+
+Here we use `nat`s, the type of
+natural numbers (non-negative integers), which is often more convenient than
+annotating everything to be non-negative. Using this function for actually calculating
+the Fibonacci numbers would be extremely slow, as this implementation has exponential
+complexity. There are much better ways to calculate the Fibonacci function. But
+this function is still useful, as we can have Dafny prove that a fast version
+really matches the mathematical definition. We can get the best of both worlds:
+the guarantee of correctness and the performance we want.
+
+We can start by defining a method like the following:
+
+<!-- %check-verify guide.11.expect -->
+```dafny
+function fib(n: nat): nat
+{
+  if n == 0 then 0
+  else if n == 1 then 1
+  else fib(n - 1) + fib(n - 2)
+}
+method ComputeFib(n: nat) returns (b: nat)
+  ensures b == fib(n)
+{
+  ...
+}
+```
+
+We haven't written the body yet, so Dafny will complain that
+our postcondition doesn't hold. We need an algorithm to calculate the `n`<sup>th</sup>
+Fibonacci number. The basic idea is to keep a counter and repeatedly calculate adjacent pairs
+of Fibonacci numbers until the desired number is reached. To do this, we need a loop. In Dafny, this is done
+via a *`while` loop*. A while loop looks like the following:
+
+<!-- %check-verify -->
+```dafny
+method m(n: nat)
+{
+  var i := 0;
+  while i < n
+  {
+    i := i + 1;
+  }
+}
+```
+
+This is a trivial loop that just increments `i` until it reaches `n`. This will form
+the core of our loop to calculate Fibonacci numbers.
+
+## Loop Invariants
+
+`while` loops present a problem for Dafny. There is no way for
+Dafny to know in advance how many times the code will go around the loop. But
+Dafny needs to consider all paths through a program, which could include going
+around the loop any number of times. To make it possible for Dafny to work with
+loops, you need to provide *loop invariants*, another kind of annotation.
+
+A loop invariant is an expression that holds upon entering a
+loop and after every execution of the loop body. It captures something that is
+invariant, i.e. does not change, about every step of the loop. Now, obviously
+we are going to want to change variables, etc. each time around the loop, or we
+wouldn't need the loop. Like pre- and postconditions, an invariant is a *property* that is
+preserved for each execution of the loop, expressed using the same boolean
+expressions we have seen. For example, we see in the above loop that if `i`
+starts off positive, then it stays positive. So we can add the invariant, using
+its own keyword, to the loop:
+
+<!-- %check-verify -->
+```dafny
+method m(n: nat)
+{
+  var i := 0;
+  while i < n
+    invariant 0 <= i
+  {
+    i := i + 1;
+  }
+}
+```
+
+When you specify an invariant, Dafny proves two things: the
+invariant holds upon entering the loop and it is preserved by the loop. By
+preserved, we mean that assuming that the invariant holds at the beginning of
+the loop, we must show that executing the loop body once makes the invariant
+hold again. Dafny can only know upon analyzing the loop body what the
+invariants say, in addition to the loop guard (the loop condition). Just as
+Dafny will not discover properties of a method on its own, it will not know any
+but the most basic properties of a loop are preserved unless it is told via an
+invariant.
+
+In our example, the point of the loop is to build up the
+Fibonacci numbers one (well, two) at a time until we reach the desired number. After
+we exit the loop, we will have that `i == n`, because `i` will stop being
+incremented when it reaches `n`. We can use our assertion trick to check to see if Dafny
+sees this fact as well:
+
+<!-- %check-verify guide.12.expect -->
+```dafny
+method m(n: nat)
+{
+  var i: int := 0;
+  while i < n
+    invariant 0 <= i
+  {
+    i := i + 1;
+  }
+  assert i == n;
+}
+```
+
+We find that this assertion fails. As far as Dafny knows, it
+is possible that `i` somehow became much larger than `n` at some point during the loop.
+All it knows after the loop exits (i.e. in the code after the loop) is that the loop guard
+failed and the invariants hold. In this case, this amounts to `n <= i`
+and `0 <= i`. But this is not enough to guarantee that
+`i == n`, just that `n <= i`.
+Somehow we need to eliminate the possibility of `i`
+exceeding `n`. One first guess for solving this problem
+might be the following:
+
+<!-- %check-verify guide.13.expect -->
+```dafny
+method m(n: nat)
+{
+  var i: int := 0;
+  while i < n
+    invariant 0 <= i < n
+  {
+    i := i + 1;
+  }
+}
+```
+
+This does not verify, as Dafny complains that the invariant
+is not preserved (also known as not maintained) by the loop. We want to be able to
+say that after the loop exits, then all the invariants hold. Our invariant
+holds for every execution of the loop *except*
+for the very last one. Because the loop body is executed only when the loop
+guard holds, in the last iteration `i` goes from `n - 1` to `n`, but does not increase
+further, as the loop exits. Thus, we have only omitted exactly one case from
+our invariant, and repairing it is relatively easy:
+
+<!-- %check-verify -->
+```dafny
+method m(n: nat)
+{
+  var i: int := 0;
+  while i < n
+    invariant 0 <= i <= n
+  {
+    i := i + 1;
+  }
+}
+```
+
+Now we can say both that `n <= i`
+from the loop guard and `0 <= i <= n` from the
+invariant, which allows Dafny to prove the assertion `i == n`.
+The challenge in picking loop invariants is finding one that is preserved
+by the loop, but also that lets you prove what you need after the loop
+has executed.
+
+**Exercise 6.**
+  *Change the loop invariant to `0 <= i <= n+2`. Does the loop still
+  verify? Does the assertion `i == n` after the loop still verify?*
+
+<!-- %check-verify -->
+```dafny
+method m(n: nat)
+{
+  var i: int := 0;
+  while i < n
+    invariant 0 <= i <= n  // Change this. What happens?
+  {
+    i := i + 1;
+  }
+  assert i == n;
+}
+```
+
+
+**Exercise 7.**
+  *With the original loop invariant, change the loop guard from
+  `i < n` to `i != n`. Do the loop and the assertion after the loop
+  still verify? Why or why not?*
+
+<!-- %check-verify -->
+```dafny
+method m(n: nat)
+{
+  var i: int := 0;
+  while i < n  // Change this. What happens?
+    invariant 0 <= i <= n
+  {
+    i := i + 1;
+  }
+  assert i == n;
+}
+```
+
+
+In addition to the counter, our algorithm called for a pair
+of numbers which represent adjacent Fibonacci numbers in the sequence.
+Unsurprisingly, we will have another invariant or two to relate these numbers
+to each other and the counter. To find these invariants, we employ a common
+Dafny trick: working backwards from the postconditions.
+
+Our postcondition for the Fibonacci method is that the
+return value `b` is equal to `fib(n)`.
+But after the loop, we have that `i == n`, so we need `b == fib(i)`
+at the end of the loop. This might make a good
+invariant, as it relates something to the loop counter. This observation is
+surprisingly common throughout Dafny programs. Often a method is just a
+loop that, when it ends, makes the postcondition true by having a counter
+reach another number, often an argument or the length of an array or sequence.
+So we have that the variable `b`, which is conveniently
+our out parameter, will be the current Fibonacci number:
+
+<!-- %no-check -->
+```dafny
+  invariant b == fib(i)
+```
+
+We also note that in our algorithm, we can compute any Fibonacci
+number by keeping track of a pair of numbers and summing them to get the next
+number. So we want a way of tracking the previous Fibonacci number, which we
+will call `a`. Another invariant will express that
+number's relation to the loop counter. The invariants are:
+
+<!-- %no-check -->
+```dafny
+  invariant a == fib(i - 1)
+```
+
+At each step of the loop, the two values are summed to get
+the next leading number, while the trailing number is the old leading number.
+Using a parallel assignment, we can write a loop that performs this operation:
+
+<!-- %check-verify guide.14.expect -->
+```dafny
+function fib(n: nat): nat
+{
+  if n == 0 then 0
+  else if n == 1 then 1
+  else fib(n - 1) + fib(n - 2)
+}
+method ComputeFib(n: nat) returns (b: nat)
+  ensures b == fib(n)
+{
+  var i := 1;
+  var a := 0;
+  b := 1;
+  while i < n
+    invariant 0 < i <= n
+    invariant a == fib(i - 1)
+    invariant b == fib(i)
+  {
+    a, b := b, a + b;
+    i := i + 1;
+  }
+}
+```
+
+Here `a` is the trailing number and `b` is the leading number.
+The parallel assignment means that the entire right hand side is
+calculated before the assignments to the
+variables are made. Thus `a` will get the old value of `b`, and `b`
+will get the sum of the two
+old values, which is precisely the behavior we want.
+
+We also have made a change to the loop counter `i`. Because we
+also want to track the trailing number, we can't start the counter at zero, as
+otherwise we would have to calculate a negative Fibonacci number. The problem
+with doing this is that the loop counter invariant may not hold when we enter
+the loop. The only problem is when `n` is zero. This can
+be eliminated as a special case, by testing for this condition at the beginning
+of the loop. The completed Fibonacci method becomes:
+
+<!-- %check-verify -->
+```dafny
+function fib(n: nat): nat
+{
+  if n == 0 then 0
+  else if n == 1 then 1
+  else fib(n - 1) + fib(n - 2)
+}
+method ComputeFib(n: nat) returns (b: nat)
+  ensures b == fib(n)
+{
+  if n == 0 { return 0; }
+  var i: int := 1;
+  var a := 0;
+  b := 1;
+  while i < n
+    invariant 0 < i <= n
+    invariant a == fib(i - 1)
+    invariant b == fib(i)
+  {
+    a, b := b, a + b;
+    i := i + 1;
+  }
+}
+```
+
+Dafny no longer complains about the loop invariant not
+holding, because if `n` were zero, it would return before reaching the loop.
+Dafny is also able to use the loop invariants to prove that after the loop, `i == n`
+and `b == fib(i)`, which together imply the postcondition, `b == fib(n)`.
+
+**Exercise 8.**
+  *The `ComputeFib` method above is more complicated than
+  necessary. Write a simpler program by not introducing `a` as the
+  Fibonacci number that precedes `b`, but instead introducing a
+  variable `c` that succeeds `b`. Verify your program is correct
+  according to the mathematical definition of Fibonacci.*
+
+<!-- %check-verify -->
+```dafny
+function fib(n: nat): nat
+{
+  if n == 0 then 0
+  else if n == 1 then 1
+  else fib(n - 1) + fib(n - 2)
+}
+method ComputeFib(n: nat) returns (b: nat)
+  ensures b == fib(n)  // Do not change this postcondition
+{
+  // Change the method body to instead use c as described.
+  // You will need to change both the initialization and the loop.
+  if n == 0 { return 0; }
+  var i: int := 1;
+  var a := 0;
+  b := 1;
+  while i < n
+    invariant 0 < i <= n
+    invariant a == fib(i - 1)
+    invariant b == fib(i)
+  {
+    a, b := b, a + b;
+    i := i + 1;
+  }
+}
+```
+
+
+**Exercise 9.**
+  *Starting with the completed `ComputeFib` method above, delete the
+  `if` statement and initialize `i` to `0`, `a` to `1`, and `b` to
+  `0`.  Verify this new program by adjusting the loop invariants to
+  match the new behavior.*
+
+<!-- %check-verify guide.15.expect -->
+```dafny
+function fib(n: nat): nat
+{
+  if n == 0 then 0
+  else if n == 1 then 1
+  else fib(n - 1) + fib(n - 2)
+}
+method ComputeFib(n: nat) returns (b: nat)
+  ensures b == fib(n)
+{
+  var i: int := 0;
+  var a := 1;
+  b := 0;
+  while i < n
+    // Fill in the invariants here.
+  {
+    a, b := b, a + b;
+    i := i + 1;
+  }
+}
+```
+
+One of the problems with using invariants is that it is easy
+to forget to have the loop *make progress*, i.e. do work at each step. For
+example, we could have omitted the entire body of the loop in the previous
+program. The invariants would be correct, because they are still true upon
+entering the loop, and since the loop doesn't change anything, they would be
+preserved by the loop. We know that *if* we exit the loop, then we can assume the
+negation of the guard and the invariants, but this says nothing about what
+happens if we never exit the loop. Thus we would like to make sure the loop ends
+at some point, which gives us a stronger correctness guarantee
+(the technical term is *total correctness*).
+
+## Termination
+
+Dafny proves that code terminates, i.e. does not loop forever, by
+using `decreases` annotations. For many things, Dafny is able to guess the right
+annotations, but sometimes it needs to be made explicit. In fact, for all of the
+code we have seen so far, Dafny has been able to do this proof on its own,
+which is why we haven't seen the `decreases` annotation explicitly yet. There
+are two places Dafny proves termination: loops and recursion. Both of these
+situations require either an explicit annotation or a correct guess by Dafny.
+
+A `decreases` annotation, as its name suggests, gives Dafny
+an expression that decreases with every loop iteration or recursive call.
+There are two conditions that Dafny needs to verify when using a `decreases`
+expression: that the expression actually gets smaller and that it is bounded.
+Many times, an integral value (natural or plain integer) is the quantity that
+decreases, but other things can be used as well. (See the reference for
+details.) In the case of integers, the bound is assumed to be zero. For
+example, the following is a proper use of `decreases` on a loop (with its own
+keyword, of course):
+
+<!-- %check-verify -->
+```dafny
+method m ()
+{
+  var i := 20;
+  while 0 < i
+    invariant 0 <= i
+    decreases i
+  {
+    i := i - 1;
+  }
+}
+```
+
+Here Dafny has all the ingredients it needs to prove
+termination. The variable `i` gets smaller each loop iteration and is bounded
+below by zero. This is fine, except the loop is backwards compared to most loops,
+which tend to count up instead of down. In this case, what decreases is not the
+counter itself, but rather the distance between the counter and the upper
+bound. A simple trick for dealing with this situation is given below:
+
+<!-- %check-verify -->
+```dafny
+method m()
+{
+  var i, n := 0, 20;
+  while i < n
+    invariant 0 <= i <= n
+    decreases n - i
+  {
+    i := i + 1;
+  }
+}
+```
+
+This is actually Dafny's guess for this situation, as it
+sees `i < n` and assumes that `n - i`
+is the quantity that decreases. The upper bound of the loop invariant implies
+that `0 <= n – i`, and gives Dafny a lower bound on
+the quantity. This also works when the bound `n` is not
+constant, such as in the binary search algorithm, where two quantities approach
+each other, and neither is fixed.
+
+**Exercise 10.**
+  *In the loop above, the invariant `i <= n` and the negation of the
+  loop guard allow us to conclude `i == n` after the loop (as we
+  checked previously with an `assert`. Note that if the loop guard
+  were instead written as `i != n` (as in Exercise 7), then the
+  negation of the guard immediately gives `i == n` after the loop,
+  regardless of the loop invariant. Change the loop guard to `i != n`
+  and delete the invariant annotation. Does the program verify? What
+  happened?*
+
+<!-- %check-verify guide.16.expect -->
+```dafny
+method m()
+{
+  var i, n := 0, 20;
+  while i != n
+    decreases n - i
+  {
+    i := i + 1;
+  }
+}
+```
+
+The other situation that requires a termination proof is
+when methods or functions are recursive. Similarly to looping forever, these
+methods could potentially call themselves forever, never returning to their
+original caller. When Dafny is not able to guess the termination condition, an
+explicit decreases clause can be given along with pre- and postconditions, as
+in the unnecessary annotation for the fib function:
+
+<!-- %check-verify -->
+```dafny
+function fib(n: nat): nat
+  decreases n
+{
+  if n == 0 then 0
+  else if n == 1 then 1
+  else fib(n - 1) + fib(n - 2)
+}
+```
+
+As before, Dafny can guess this condition on its own, but
+sometimes the decreasing condition is hidden within a field of an
+object or somewhere else where
+Dafny cannot find it on its own, and it requires an explicit annotation.
+
+There is a longer tutorial on termination [here](./Termination).
+
+## Arrays
+
+All that we have considered is fine for toy functions and
+little mathematical exercises, but it really isn't helpful for real programs.
+So far we have only considered a handful of values at a time in local
+variables. Now we turn our attention to arrays of data. Arrays are a built-in
+part of the language, with their own type, `array<T>`,
+where `T` is another type;
+the companion type `array?<T>` is the type of possibly-null arrays.
+That is, `array?<T>` includes all references to one-dimensional arrays of
+element type `T` (i.e., `array<T>`) and the null reference.
+For now we only consider
+arrays of integers, with type `array<int>`.
+Arrays have a built-in length field, `a.Length`.
+Element access uses the standard bracket syntax and indexes from
+zero, so `a[3]` is preceded by the 3 elements `a[0]`,
+`a[1]`, and `a[2]`, in that order.
+All array accesses must be proven to be within bounds, which is part of Dafny's
+no-runtime-errors safety guarantee. Because bounds checks are proven
+at verification time, no runtime checks need to be made. To create a new array,
+it must be allocated with the `new` keyword, but for now
+we will only work with methods that take a previously allocated array as an
+argument.
+
+One of the most basic things we might want to do with an
+array is search through it for a particular key, and return the index of a
+place where we can find the key if it exists. We have two outcomes for a
+search, with a different correctness condition for each. If the algorithm
+returns an index (i.e. non-negative integer), then the key should be present at
+that index. This might be expressed as follows:
+
+<!-- %check-resolve -->
+```dafny
+method Find(a: array<int>, key: int) returns (index: int)
+  ensures 0 <= index ==> index < a.Length && a[index] == key
+{
+  // Can you write code that satisfies the postcondition?
+  // Hint: you can do it with one statement.
+}
+```
+
+The array index here is safe because the implication
+operator is *short circuiting*. Short circuiting means
+if the left part is false, then
+the implication is already true regardless of the truth value of the second
+part, and thus it does not need to be evaluated. Using the short circuiting
+property of the implication operator, along with the boolean "and" (`&&`),
+which is also short circuiting, is a common
+Dafny practice. The condition `index < a.Length` is
+necessary because otherwise the method could return a large integer which is
+not an index into the array. Together, the short circuiting behavior means that
+by the time control reaches the array access, `index`
+must be a valid index.
+
+If the key is not in the array, then we would like the method
+to return a negative number. In this case, we want to say that the method did
+not miss an occurrence of the key; in other words, that the key is not in the
+array. To express this property, we turn to another common Dafny tool:
+quantifiers.
+
+## Quantifiers
+
+A quantifier in Dafny most often takes the form of a <span
+class=Code>forall</span> expression, also called a universal quantifier. As its
+name suggests, this expression is true if some property holds for all elements
+of some set. For now, we will consider the set of integers. An example
+universal quantifier, wrapped in an assertion, is given below:
+
+<!-- %check-verify-warn guide.17.expect -->
+```dafny
+method m()
+{
+  assert forall k :: k < k + 1;
+}
+```
+
+A quantifier introduces a temporary name for each element of
+the set it is considering. This is called the bound variable, in this case `k`.
+The bound variable has a type, which is almost always inferred
+rather than given explicitly and is usually `int` anyway.
+(In general, one can have any number of bound variables, a topic we will return
+to later.) A pair of colons (`::`) separates the bound
+variable and its optional type from the quantified property (which must be of
+type `bool`). In this case, the property is that adding
+one to any integer makes a strictly larger integer. Dafny is able to prove this
+simple property automatically. Generally it is not very useful to quantify over
+infinite sets, such as all the integers. Instead, quantifiers are typically
+used to quantify over all elements in an array or data structure. We do this
+for arrays by using the implication operator to make the quantified property
+trivially true for values which are not indices:
+
+<!-- %no-check -->
+```dafny
+  assert forall k :: 0 <= k < a.Length ==> ...a[k]...;
+```
+
+This says that some property holds for each element of the
+array. The implication makes sure that `k` is actually a valid index into the
+array before evaluating the second part of the expression. Dafny can use this
+fact not only to prove that the array is accessed safely, but also to reduce the
+set of integers it must consider to only those that are indices into the array.
+
+With a quantifier, saying the key is not in the array is
+straightforward:
+
+<!-- %no-check -->
+```dafny
+  forall k :: 0 <= k < a.Length ==> a[k] != key
+```
+
+Thus our method postconditions become:
+
+<!-- %check-resolve -->
+```dafny
+method Find(a: array<int>, key: int) returns (index: int)
+  ensures 0 <= index ==> index < a.Length && a[index] == key
+  ensures index < 0 ==> forall k :: 0 <= k < a.Length ==> a[k] != key
+{
+  // There are many ways to fill this in. Can you write one?
+}
+```
+
+Note that because `a` has type `array<int>`, it is implicitly non-null.
+
+We can fill in the body of this method in a number of ways,
+but perhaps the easiest is a linear search, implemented below:
+
+<!-- %check-verify guide.18.expect -->
+```dafny
+method Find(a: array<int>, key: int) returns (index: int)
+  ensures 0 <= index ==> index < a.Length && a[index] == key
+  ensures index < 0 ==> forall k :: 0 <= k < a.Length ==> a[k] != key
+{
+  index := 0;
+  while index < a.Length
+  {
+    if a[index] == key { return; }
+    index := index + 1;
+  }
+  index := -1;
+}
+```
+
+As you can see, we have omitted the loop invariants on the
+`while` loop, so Dafny gives us a verification error on one of the
+postconditions. The reason we get an error is that Dafny does not know that
+the loop actually covers all the elements. In order to convince Dafny of this,
+we have to write an invariant that says that everything before the current
+index has already been looked at (and are not the key). Just like the
+postcondition, we can use a quantifier to express this property:
+
+<!-- %check-verify guide.19.expect -->
+```dafny
+method Find(a: array<int>, key: int) returns (index: int)
+  ensures 0 <= index ==> index < a.Length && a[index] == key
+  ensures index < 0 ==> forall k :: 0 <= k < a.Length ==> a[k] != key
+{
+  index := 0;
+  while index < a.Length
+    invariant forall k :: 0 <= k < index ==> a[k] != key
+  {
+    if a[index] == key { return; }
+    index := index + 1;
+  }
+  index := -1;
+}
+```
+
+This says that everything before, but excluding, the current
+index is not the key. Notice that upon entering the loop, `index`
+is zero, so the first part of the implication is always false, and thus the
+quantified property is always true. This common situation is known as
+*vacuous truth*: the
+quantifier holds because it is quantifying over an empty set of objects. This
+means that it is true when entering the loop. We test the value of the array
+before we extend the non-key part of the array, so Dafny can prove that this
+invariant is preserved. One problem arises when we try to add this invariant:
+Dafny complains about the index being out of range for the array access within
+the invariant.
+
+This code does not verify because there is no invariant on `index`, so
+it could be greater than the length of the array. Then the bound variable, `k`,
+could exceed the length of the array. To fix this, we put the standard bounds on `index`,
+`0 <= index <= a.Length`. Note that because we say `k < index`, the
+array access is still protected from error
+even when `index == a.Length`. The use of a variable that
+is one past the end of a growing range is a common pattern when working with
+arrays, where it is often used to build a property up one element at a time.
+The complete method is given below:
+
+<!-- %check-verify -->
+```dafny
+method Find(a: array<int>, key: int) returns (index: int)
+  ensures 0 <= index ==> index < a.Length && a[index] == key
+  ensures index < 0 ==> forall k :: 0 <= k < a.Length ==> a[k] != key
+{
+  index := 0;
+  while index < a.Length
+    invariant 0 <= index <= a.Length
+    invariant forall k :: 0 <= k < index ==> a[k] != key
+  {
+    if a[index] == key { return; }
+    index := index + 1;
+  }
+  index := -1;
+}
+```
+
+**Exercise 11.**
+  *Write a method that takes an integer array, which it requires to
+  have at least one element, and returns an index to the maximum of
+  the array's elements. Annotate the method with pre- and
+  postconditions that state the intent of the method, and annotate its
+  body with loop invariant to verify it.*
+
+<!-- %check-resolve -->
+```dafny
+method FindMax(a: array<int>) returns (i: int)
+  // Annotate this method with pre- and postconditions
+  // that ensure it behaves as described.
+{
+  // Fill in the body that calculates the INDEX of the maximum.
+}
+```
+
+A linear search is not very efficient, especially when many
+queries are made of the same data. If the array is sorted, then we can use the
+very efficient binary search procedure to find the key. But in order for us to
+be able to prove our implementation correct, we need some way to require that
+the input array actually is sorted. We could do this directly with a quantifier
+inside a `requires` clause of our method, but a more modular way to express this
+is through a *predicate*.
+
+## Predicates
+
+A predicate is a function which returns a boolean. It is a
+simple but powerful idea that occurs throughout Dafny programs. For example, we
+define the *`sorted`
+predicate* over arrays of integers as a function that takes an array
+as an argument, and returns `true` if and only if that array is
+sorted in increasing order. The use of predicates makes our code shorter, as we
+do not need to write out a long property over and over. It can also make our
+code easier to read by giving a common property a name.
+
+There are a number of ways we could write the `sorted`
+predicate, but the easiest is to use a quantifier over the indices of the
+array. We can write a quantifier that expresses the property, "if `x` is before
+`y` in the array, then `x <= y`," as a quantifier over two bound variables:
+
+<!-- %no-check -->
+```dafny
+  forall j, k :: 0 <= j < k < a.Length ==> a[j] <= a[k]
+```
+
+Here we have two bound variables, `j`
+and `k`, which are both integers. The comparisons between
+the two guarantee that they are both valid indices into the array, and that
+`j` is before `k`. Then the second part
+says that they are ordered properly with respect to one another. Quantifiers are just
+a type of boolean valued expression in Dafny, so we can write the sorted predicate
+as:
+
+<!-- %check-verify guide.20.expect -->
+```dafny
+predicate sorted(a: array<int>)
+{
+  forall j, k :: 0 <= j < k < a.Length ==> a[j] <= a[k]
+}
+```
+
+Note that there is no return type, because predicates always return a boolean.
+
+Dafny rejects this code as given, claiming that the predicate
+cannot read `a`. Fixing this issue requires
+another annotation, the *reads annotation*.
+
+## Framing
+
+The sorted predicate is not able to access the array because
+the array was not included in the function's *reading frame*. The
+reading frame of a function (or predicate) is all the memory locations
+that the function is allowed to read. The reason we might limit what a function
+can read is so that when we write to memory, we can be sure that functions that
+did not read that part of memory have the same value they did before. For
+example, we might have two arrays, one of which we know is sorted. If we did
+not put a reads annotation on the sorted predicate, then when we modify the
+unsorted array, we cannot determine whether the other array stopped being
+sorted. While we might be able to give invariants to preserve it in this case,
+it gets even more complex when manipulating data structures. In this case,
+framing is essential to making the verification process feasible.
+
+<!-- %check-verify -->
+```dafny
+predicate sorted(a: array<int>)
+  reads a
+{
+  forall j, k :: 0 <= j < k < a.Length ==> a[j] <= a[k]
+}
+```
+
+A `reads` annotation is not a boolean expression, like the
+other annotations we have seen, and can appear anywhere along with the pre- and
+postconditions. Instead of a property that should be true, it specifies a set
+of memory locations that the function is allowed to access. The name of an
+array, like `a` in the above example, stands for all the
+elements of that array. One can also specify object fields and sets of objects,
+but we will not concern ourselves with those topics here. Dafny will check that
+you do not read any memory
+location that is not stated in the reading frame. This means that function
+calls within a function must have reading frames that are a subset of the
+calling function's reading frame. One thing to note is that parameters to the
+function that are not memory locations do not need to be declared.
+
+Frames also affect methods. As you might have guessed, they
+are not required to list the things they read, as we have written a method
+which accesses an array with no `reads` annotation. Methods are allowed to read
+whatever memory they like, but they are required to list which parts of memory
+they modify, with a *modifies annotation*. They are almost identical
+to their `reads` cousins,
+except they say what can be changed, rather than what the value of the function
+depends on. In combination with reads, modification
+restrictions allow Dafny to prove properties of code that would otherwise be
+very difficult or impossible. `reads` and `modifies` are among the tools that
+enable Dafny to work on one method at a time, because they restrict what would
+otherwise be arbitrary modifications of memory to something that Dafny can
+reason about.
+
+
+Note that framing only applies to the *heap*, or memory accessed through
+references. Local variables are not stored on the heap, so they cannot be mentioned
+in `reads` annotations. Note also that types like sets, sequences, and multisets are value
+types, and are treated like integers or local variables. Arrays and objects are
+reference types, and they are stored on the heap (though as always there is a subtle
+distinction between the reference itself and the value it points to.)
+
+
+**Exercise 12.**
+  *Modify the definition of the `sorted` predicate so that it returns
+  true exactly when the array is sorted and all its elements are
+  distinct.*
+
+<!-- %check-resolve -->
+```dafny
+predicate sorted(a: array<int>)
+  reads a
+{
+  false // Fill in a new body here.
+}
+```
+
+**Exercise 13.**
+  *Change the definition of `sorted` so that it allows its argument to be 
+  null (using a nullable array type) but
+  returns false if it is.*
+
+<!-- %check-verify -->
+```dafny
+predicate sorted(a: array<int>) // Change the type
+  reads a
+{
+  // Change this definition to treat null arrays as "not sorted".
+  // (i.e. return false for null arrays)
+  forall j, k :: 0 <= j < k < a.Length ==> a[j] <= a[k]
+}
+```
+
+## Binary Search
+
+Predicates are usually used to make other annotations clearer:
+
+<!-- %check-resolve -->
+```dafny
+predicate sorted(a: array<int>)
+  reads a
+{
+  forall j, k :: 0 <= j < k < a.Length ==> a[j] <= a[k]
+}
+method BinarySearch(a: array<int>, value: int) returns (index: int)
+  requires 0 <= a.Length && sorted(a)
+  ensures 0 <= index ==> index < a.Length && a[index] == value
+  ensures index < 0 ==> forall k :: 0 <= k < a.Length ==> a[k] != value
+{
+  // This one is a little harder. What should go here?
+}
+```
+
+We have the same postconditions that we did for the linear
+search, as the goal is the same. The difference is that now we know the array
+is sorted. Because Dafny can unwrap functions, inside the body of the method it
+knows this too. We can then use that property to prove the correctness of the
+search. The method body is given below:
+
+<!-- %check-verify -->
+```dafny
+predicate sorted(a: array<int>)
+  reads a
+{
+  forall j, k :: 0 <= j < k < a.Length ==> a[j] <= a[k]
+}
+method BinarySearch(a: array<int>, value: int) returns (index: int)
+  requires 0 <= a.Length && sorted(a)
+  ensures 0 <= index ==> index < a.Length && a[index] == value
+  ensures index < 0 ==> forall k :: 0 <= k < a.Length ==> a[k] != value
+{
+  var low, high := 0, a.Length;
+  while low < high
+    invariant 0 <= low <= high <= a.Length
+    invariant forall i ::
+      0 <= i < a.Length && !(low <= i < high) ==> a[i] != value
+  {
+    var mid := (low + high) / 2;
+    if a[mid] < value {
+      low := mid + 1;
+    } else if value < a[mid] {
+      high := mid;
+    } else {
+      return mid;
+    }
+  }
+  return -1;
+}
+```
+
+This is a fairly standard binary search implementation. First we
+declare our range to search over. This can be
+thought of as the remaining space where the key could possibly be. The range is
+inclusive-exclusive, meaning it encompasses indices \[`low`, `high`). The first
+invariant expresses the fact that this range is within the array. The second
+says that the key is not anywhere outside of this range. In the first two
+branches of the `if` chain, we find the element in the middle of our range is not
+the key, and so we move the range to exclude that element and all the other
+elements on the appropriate side of it. We need the addition of one when moving
+the lower end of the range because it is inclusive on the low side. If we do not add one, then
+the loop may continue forever when `mid == low`, which
+happens when `low + 1 == high`. We could change this to
+say that the loop exits when `low` and `high` are one apart, but this would mean we
+would need an extra check after the loop to determine if the key was found at
+the one remaining index. In the above formulation, this is unnecessary because
+when `low == high`, the loop exits. But this means that
+no elements are left in the search range, so the key was not found. This can be
+deduced from the loop invariant:
+
+<!-- %no-check -->
+```dafny
+  invariant forall i ::
+    0 <= i < a.Length && !(low <= i < high) ==> a[i] != value
+```
+
+When `low == high`, the negated
+condition in the first part of the implication is always true (because no `i`
+can be both at least and strictly smaller than the same
+value). Thus the invariant says that all elements in the array are not the key,
+and the second postcondition holds. As you can see, it is easy to introduce
+subtle off by one errors in this code. With the invariants, not only can Dafny
+prove the code correct, but we can understand the operation of the code more easily
+ourselves.
+
+
+**Exercise 14.**
+  *Change the assignments in the body of `BinarySearch` to set `low`
+  to `mid` or to set `high` to `mid - 1`. In each case, what goes
+  wrong?*
+
+<!-- %check-verify -->
+```dafny
+predicate sorted(a: array<int>)
+  reads a
+{
+  forall j, k :: 0 <= j < k < a.Length ==> a[j] <= a[k]
+}
+method BinarySearch(a: array<int>, value: int) returns (index: int)
+  requires 0 <= a.Length && sorted(a)
+  ensures 0 <= index ==> index < a.Length && a[index] == value
+  ensures index < 0 ==> forall k :: 0 <= k < a.Length ==> a[k] != value
+{
+  var low, high := 0, a.Length;
+  while low < high
+    invariant 0 <= low <= high <= a.Length
+    invariant forall i ::
+         0 <= i < a.Length && !(low <= i < high) ==> a[i] != value
+  {
+    var mid := (low + high) / 2;
+    if a[mid] < value {
+      low := mid + 1;
+    } else if value < a[mid] {
+      high := mid;
+    } else {
+      return mid;
+    }
+  }
+  return -1;
+}
+```
+
+## Conclusion
+
+We've seen a whirlwind tour of the major features of Dafny,
+and used it for some interesting, if a little on the small side, examples of
+what Dafny can do. But to really take advantage of the power Dafny offers, one
+needs to plow ahead into the advanced topics: objects, sequences and sets, data
+structures, lemmas, etc. Now that you are familiar with the basics of Dafny,
+you can peruse the tutorials on each of these topics at your leisure. Each
+tutorial is designed to be a relatively self-contained guide to its topic,
+though some benefit from reading others beforehand. The examples are also a
+good place to look for model Dafny programs. Finally, the reference contains the
+gritty details of Dafny syntax and semantics, for when you just need to know
+what the disjoint set operator is (it's `!!`, for those
+interested).
+
+Even if you do not use Dafny regularly, the idea of writing
+down exactly what it is that the code does in a precise way, and using this to
+prove code correct is a useful skill. Invariants, pre- and postconditions,
+and annotations are useful in debugging code, and also as documentation for future
+developers. When modifying or adding to a codebase, they confirm that the
+guarantees of existing code are not broken. They also ensure that APIs are used
+correctly, by formalizing behavior and requirements and enforcing correct
+usage. Reasoning from invariants, considering pre- and postconditions, and
+writing assertions to check assumptions are all general computer science skills
+that will benefit you no matter what language you work in.
diff --git a/v4.10.0/QuickReference.md b/v4.10.0/QuickReference.md
new file mode 100644
index 0000000..b3e92be
--- /dev/null
+++ b/v4.10.0/QuickReference.md
@@ -0,0 +1,339 @@
+---
+title: Dafny Quick Reference
+---
+
+# Dafny Quick Reference
+
+This page illustrates many of the most common language features in Dafny.  In order to get you started more quickly, the descriptions here are simplified&#8211;this page is not the language reference.  For example, this page does not go into modules, iterators, or refinement, which you won&#8217;t need until you write larger or more advanced programs in Dafny.
+
+## Programs
+
+At the top level, a Dafny program (stored as a file with extension .dfy) is a set of declarations.
+The declarations introduce _types_, _methods_, and _functions_, where the order of introduction is irrelevant.
+These user-defined types include _classes_ and _inductive datatypes_.
+The classes themselves also contain a set of declarations, introducing _fields_, methods, and functions.
+If the program contains a parameter-less method called Main, then execution of the compiled program starts there, but it is not necessary to have a main method to do verification.
+
+Comments start with // and go to the end of the line, or start with /* and end with */ and can be nested.
+
+## Fields
+
+In a class, a field x of some type T is declared as: `var x: T`
+
+Unlike for local variables and bound variables, the type is required and will not be inferred.
+The field can be declared to be a ghost (that is, used for specification and not execution) field by preceding the declaration with the keyword `ghost`.
+Dafny's types include `bool` for booleans, `int` for mathematical (that is, unbounded) integers, `string` for strings, user-defined classes and inductive datatypes, `set<T>` for a finite mathematical (immutable) set of `T` values (where `T` is a type), and `seq<T>` for a mathematical (immutable) sequence of `T` values.
+In addition, there are array types (which are like predefined "class" types) of one and more dimensions, written `array<T>`, `array2<T>`, `array3<T>`, etc.
+The type `object` is a supertype of all class types, that is, an object denotes any reference, including `null`.
+Another useful type is `nat`, which denotes a subrange of `int`, namely the non-negative integers.
+
+## Methods
+
+A method declaration (either at the top level or inside a class) has the form:
+<pre>
+method M(a: A, b: B, c: C) returns (x: X, y: Y, z: Y)
+  requires Pre
+  modifies Frame
+  ensures Post
+  decreases TerminationMetric
+{
+  Body
+}
+</pre>
+where a, b, c are the method's in-parameters,
+x, y, z are the method's out-parameters,
+Pre is a boolean expression denoting the method's precondition,
+Frame denotes a set of objects whose fields may be updated by the method,
+Post is a boolean expression denoting the method's postcondition,
+TerminationMetric is the method's variant function,
+and Body is a statement that implements the method.
+Frame can be a list of expressions, each of which is a set of objects or a single object, the latter standing for the singleton set consisting of that one object.
+The method's frame is the union of these sets, plus the set of objects allocated by the method body.
+For example, if c and d are parameters of a class type C, then each line of
+<pre>
+  modifies {c, d}
+  modifies {c} + {d}
+  modifies c, {d}
+  modifies c, d
+</pre>
+means the same thing.
+
+If omitted, the pre- and postconditions default to true and the frame defaults to the empty set.
+The variant function is a list of expressions, denoting the lexicographic tuple consisting of the given expressions followed implicitly by “top” elements.
+If omitted, Dafny will guess a variant function for the method, usually the lexicographic tuple that starts with the list of the method's in-parameters.
+The Dafny IDE will show the guess in a tooltip.
+
+A method can be declared as ghost (specification-only) by preceding the declaration with the keyword `ghost`.
+By default, a method in a class has an implicit receiver parameter, `this`.
+This parameter can be removed by preceding the method declaration with the keyword `static`.
+A static method `M` in a class `C` can be invoked by `C.M(...)`.
+
+In a class, a method can be declared to be a constructor method by replacing the keyword `method` with the keyword `constructor`.
+A constructor can only be called at the time an object is allocated (see object-creation examples below), and for a class that contains one or more constructors, object creation must be done in conjunction with a call to a constructor.
+Ordinarily, a method has a name, of course, but a class is allowed to have one constructor without a name&#8211;an _anonymous constructor_&#8211;like this:
+<pre>
+  constructor (n: int)
+    modifies this
+  {
+    Body
+  }
+</pre>
+
+Sometimes, methods are used as lemmas.
+This can be made clearer in the program text by declaring the method with `lemma` instead of `method`.
+
+Here is an example method that takes 3 integers as in-parameters and returns these in 3 out-parameters in sorted order:
+```
+method Sort(a: int, b: int, c: int) returns (x: int, y: int, z: int)
+  ensures x <= y <= z && multiset{a, b, c} == multiset{x, y, z}
+{
+  x, y, z := a, b, c;
+  if z < y {
+    y, z := z, y;
+  }
+  if y < x {
+    x, y := y, x;
+  }
+  if z < y {
+    y, z := z, y;
+  }
+}
+```
+
+## Functions
+
+A function declaration (either at the top level or inside a class) has the form:
+```
+function F(a: A, b: B, c: C): T
+  requires Pre
+  reads Frame
+  ensures Post
+  decreases TerminationMetric
+{
+  Body
+}
+```
+
+where a, b, c are the method's parameters, T is the type of the function's result,
+Pre is a boolean expression denoting the function's precondition,
+Frame denotes a set of objects whose fields the function body may depend on,
+Post is a boolean expression denoting the function's postcondition,
+TerminationMetric is the function's variant function,
+and Body is an expression that defines the function.
+
+The precondition allows a function to be partial, that is, the precondition says when the function is defined (and Dafny will verify that every use of the function meets the precondition).
+The postcondition is usually not needed, since the body of the function gives the full definition.
+However, the postcondition can be a convenient place to declare properties of the function that may require an inductive proof to establish.
+For example:
+```
+function Factorial(n: int): int
+  requires 0 <= n
+  ensures 1 <= Factorial(n)
+{
+  if n == 0 then 1 else Factorial(n-1) * n
+}
+```
+says that the result of `Factorial` is always positive, which Dafny verifies inductively from the function body.
+To refer to the function's result in the postcondition, use the name of the function itself, as shown in the example.
+
+By default, a function is ghost, and cannot be called from executable (non-ghost) code. To make it non-ghost, replace the keyword `function` with the keyword phrase `function method`.
+A function that returns a boolean can be declared with the keyword `predicate` and then eliding the colon and return type.
+
+If a function or method is declared as a member of a type (like a `class`), then it has an implicit receiver parameter, `this`.
+This parameter can be removed by preceding the declaration with the keyword `static`. A static function `F` in a class `C` can be invoked by `C.F(...)`.
+This is a convenient way to declare a number of helper functions in a separate class.
+
+## Classes
+
+A class is defined as follows:
+```
+class C {
+  // member declarations go here
+}
+```
+
+where the members of the class (fields, methods, and functions) are defined (as described above) inside the curly braces.
+## Datatypes
+
+An inductive datatype is a type whose values are created using a fixed set of constructors.
+A datatype `Tree` with constructors `Leaf` and `Node` is declared as follows:
+```
+datatype Tree = Leaf | Node(Tree, int, Tree)
+```
+The first constructor is optionally preceded by a vertical bar.
+
+The constructors are separated by vertical bars.
+Parameter-less constructors need not use parentheses, as is shown here for `Leaf`.
+
+For each constructor `Ct`, the datatype implicitly declares a boolean member `Ct?`, which returns true for those values that have been constructed using Ct.
+For example, after the code snippet:
+<pre>var t0 := Leaf; var t1 := Node(t0, 5, t0);</pre>
+
+the expression `t1.Node?` evaluates to `true` and `t0.Node?` evaluates to `false`.
+Two datatype values are equal if they have been created using the same constructor and the same parameters to that constructor.
+Therefore, for parameter-less constructors like `Leaf`, `t.Leaf?` gives the same result as `t == Leaf`.
+
+A constructor can optionally declare a destructor for any of its parameters, which is done by introducing a name for the parameter.
+For example, if `Tree` were declared as:
+<pre>datatype Tree = Leaf | Node(left: Tree, data: int, right: Tree)</pre>
+
+then `t1.data == 5` and `t1.left == t0` hold after the code snippet above.
+
+## Generics
+
+Dafny supports type parameters.
+That is, any type, method, and function can have type parameters.
+These are declared in angle brackets after the name of what is being declared. For example:
+```
+class MyMultiset<T> {
+  /*...*/
+}
+
+datatype Tree<T> = Leaf | Node(Tree<T>, T, Tree<T>)
+
+method Find<T>(key: T, collection: Tree<T>) {
+  /*...*/
+}
+
+function IfThenElse<T>(b: bool, x: T, y: T): T {
+  /*...*/
+}
+```
+
+## Statements
+
+Here are examples of the most common statements in Dafny.
+```
+  var LocalVariables := ExprList;
+
+  Lvalues := ExprList;
+
+  assert BoolExpr;
+
+  print ExprList;
+
+  if BoolExpr0 {
+    Stmts0
+  } else if BoolExpr1 {
+    Stmts1
+  } else {
+    Stmts2
+  }
+
+  while BoolExpr
+    invariant Inv
+    modifies Frame
+    decreases Rank
+  {
+    Stmts
+  }
+
+  match Expr {
+    case Empty => Stmts0
+    case Node(l, d, r) => Stmts1
+  }
+
+  break;
+
+  return;
+```
+
+The `var` statement introduces local variables (which are not allowed to shadow other variables declared inside the same set of most tightly enclosing curly braces).
+Each variable can optionally be followed by `: T` for any type `T`, which explicitly gives the preceding variable the type `T` (rather than being inferred).
+The ExprList with initial values is optional.
+To declare the variables as ghost variables, precede the declaration with the keyword `ghost`.
+
+The assignment statement assigns each right-hand side in ExprList to the corresponding left-hand side in Lvalues.
+These assignments are performed in parallel (more to the point, all necessary reads occur before the writes), so the left-hand sides must denote distinct L-values.
+Each right-hand side can be an expression or an object creation of one of the following forms:
+```
+  new T
+  new T.Init(ExprList)
+  new T(ExprList)
+  new T[SizeExpr]
+  new T[SizeExpr0, SizeExpr1]
+```
+
+The first form allocates an object of type `T`.
+The second form additionally invokes an initialization method or constructor on the newly allocated object.
+The third form shows how the syntax differs from the second form when the constructor called is anonymous.
+The other forms show examples of array allocations, in particular a one- and a two-dimensional array of `T` values, respectively.
+
+The entire right-hand side of an assignment can also be a method call, in which case the left-hand sides are the actual out-parameters (omitting the `:=` if there are no out-parameters).
+
+The `assert` statement claims that the given expression evaluates to true (which is checked by the verifier).
+
+The `print` statement outputs to standard output the values of the given print expressions.
+Characters in strings can be escaped; for example, of interest for the print statement is that `\n` denotes a newline character inside a string.
+
+The `if` statement is the usual one.
+The example shows stringing together alternatives using `else if`.
+The `else` branch is optional, as usual.
+
+The `while` statement is the usual loop, where the `invariant` declaration gives a loop invariant,
+the `modifies` clause restricts the modification frame of the loop,
+and the `decreases` clause introduces a variant function for the loop.
+By default, the loop invariant is true, the modification frame is the same as in the enclosing context (usually the `modifies` clause of the enclosing method), and the variant function is guessed from the loop guard.
+
+The `match` statement evaluates the source Expr, an expression whose type is an inductive datatype, and then executes the case corresponding to which constructor was used to create the source datatype value, binding the constructor parameters to the given names.
+If they are not needed to mark the end of the match statement, then the curly braces that surround the cases can be elided.
+
+The `break` statement can be used to exit loops, and the `return` statement can be used to exit a method.
+
+## Expressions
+
+The expressions in Dafny are quite similar to those in Java-like languages. Here are some noteworthy differences.
+
+In addition to the short-circuiting boolean operators `&&` (and) and `||` (or), Dafny has a short-circuiting implication operator `==>` and an if-and-only-if operator `<==>`.
+As suggested by their widths, `<==>` has lower binding power than `==>`, which in turn has lower binding power than `&&` and `||`.
+
+Dafny comparison expressions can be chaining, which means that comparisons "in the same direction" can be strung together. For example,
+`0 <= i < j <= a.Length == N`
+
+has the same meaning as:
+`0 <= i && i < j && j <= a.Length && a.Length == N`
+
+Note that boolean equality can be expressed using both `==` and `<==>`. There are two differences between these.
+First, `==` has a higher binding power than `<==>`. Second, `==` is _chaining_ while `<==>` is _associative_.
+That is, `a == b == c` is the same as `a == b && b == c`, whereas `a <==> b <==> c` is the same as `a <==> (b <==> c)`, which is also the same as `(a <==> b) <==> c`.
+
+Operations on integers are the usual ones, except that `/` (integer division) and `%` (integer modulo) follow the Euclidean definition, which means that `%` always results in a non-negative number.
+(Hence, when the first argument to `/` or `%` is negative, the result is different than what you get in C, Java, or C#, see <a href="http://en.wikipedia.org/wiki/Modulo_operation" target="_self">http://en.wikipedia.org/wiki/Modulo_operation</a>.)
+
+
+Dafny expressions include universal and existential quantifiers, which have the form:
+`forall x :: Expr` and `exists x :: Expr`, where `x` is a bound variable (which can be declared with an explicit type, as in `x: T`) and `Expr` is a boolean expression.
+
+Operations on sets include `+` (union), `*` (intersection), and `-` (set difference), the set comparison operators `<` (proper subset), `<=` (subset), their duals `>` and `>=`, and `!!` (disjointness).
+The expression `x in S` says that `x` is a member of set `S`, and `x !in S` is a convenient way of writing `!(x in S)`.
+
+To make a set from some elements, enclose them in curly braces.
+For example, `{x,y}` is the set consisting of `x` and `y` (which is a singleton set if `x == y`), `{x}` is the singleton set containing `x`, and `{}` is the empty set.
+
+
+Operations on sequences include `+` (concatenation) and the comparison operators `<` (proper prefix) and `<=` (prefix).
+Membership can be checked like for sets: `x in S` and `x !in S`.
+The length of a sequence S is denoted `|S|`, and the elements of such a sequence have indices from 0 to less than `|S|`.
+The expression `S[j]` denotes the element at index `j` of sequence `S`.
+The expression `S[m..n]`, where `0 <= m <= n <= |S|`, returns a sequence whose elements are the `n-m` elements of `S` starting at index `m` (that is, from `S[m]`, `S[m+1]`, ... up to but not including `S[n]`).
+The expression `S[m..]`; (often called "drop m") is the same as `S[m..|S|]`;, that is, it returns the sequence whose elements are all but the first `m` elements of `S`.
+The expression `S[..n]`; (often called "take n") is the same as `S[0..n]`, that is, it returns the sequence that consists of the first n elements of S.
+
+If `j` is a valid index into sequence `S`, then the expression `S[j := x]`; is the sequence that is like `S` except that it has `x` at index `j`.
+
+Finally, to make a sequence from some elements, enclose them in square brackets.
+For example, `[x,y]` is the sequence consisting of the two elements `x` and `y` such that `[x,y][0] == x` and `[x,y][1] == y`, `[x]` is the singleton sequence whose only element is `x`, and `[]` is the empty sequence.
+
+
+The if-then-else expression has the form: `if BoolExpr then Expr0 else Expr1`
+
+where Expr0 and Expr1 are any expressions of the same type.
+Unlike the if statement, the if-then-else expression uses the `then` keyword, and must include an explicit `else` branch.
+
+
+The `match` expression is analogous to the match statement and has the form:
+```
+match Expr { case Empty => Expr0 case Node(l, d, r) => Expr1 }
+```
+
+The curly braces can be used to mark the end of the match expression, but most commonly this is not needed and the curly braces can then be elided.
diff --git a/v4.10.0/README.md b/v4.10.0/README.md
new file mode 100644
index 0000000..f0c2c83
--- /dev/null
+++ b/v4.10.0/README.md
@@ -0,0 +1,19 @@
+---
+layout: default
+---
+
+## Snapshots of documentation
+
+The current development work and git history of documentation is in the 
+`dafny-lang/dafny` repository, in the `docs` folder.
+
+The `dafny-lang/dafny.github.io` repo is the target for `https://dafny.org` 
+and is the entry point to all the user-facing documentation about Dafny.
+
+At the top-level is just the index.html landing page, supporting files 
+(e.g., images) and files needed for the Github markdown translation.
+
+Sub-folders contain _snapshots_ of the Dafny documentation at the time of 
+each release (beginning with 3.9.0). 
+Each snapshot is in its own folder, e.g. dafny.org/vX.Y.Z, with `latest` 
+containing the most recent, and `dev` redirecting to the development docs.
diff --git a/v4.10.0/Snapshots.md b/v4.10.0/Snapshots.md
new file mode 100644
index 0000000..1da0943
--- /dev/null
+++ b/v4.10.0/Snapshots.md
@@ -0,0 +1,24 @@
+---
+layout: default
+---
+<link rel="stylesheet" href="assets/main.css">
+
+## Dafny Documentation snapshots
+
+- [Current development version](https://dafny.org/dafny)
+- [Latest release snapshot](https://dafny.org/latest)
+- [v4.10.0](https://dafny.org/v4.10.0)
+- [v4.9.1](https://dafny.org/v4.9.1)
+- [v4.8.1](https://dafny.org/v4.8.1)
+- [v4.6.0](https://dafny.org/v4.6.0)
+- [v4.5.0](https://dafny.org/v4.5.0)
+- [v4.4.0](https://dafny.org/v4.4.0)
+- [v4.3.0](https://dafny.org/v4.3.0)
+- [v4.2.0](https://dafny.org/v4.2.0)
+- [v4.1.0](https://dafny.org/v4.1.0)
+- [v4.0.0](https://dafny.org/v4.0.0)
+- [v3.12.0](https://dafny.org/v3.12.0)
+- [v3.11.0](https://dafny.org/v3.11.0)
+- [v3.10.0](https://dafny.org/v3.10.0)
+- [v3.9.1](https://dafny.org/v3.9.1)
+- [v3.9.0](https://dafny.org/v3.9.0)
diff --git a/v4.10.0/StyleGuide/Style-Guide.md b/v4.10.0/StyleGuide/Style-Guide.md
new file mode 100644
index 0000000..e80f507
--- /dev/null
+++ b/v4.10.0/StyleGuide/Style-Guide.md
@@ -0,0 +1,405 @@
+---
+title: Dafny Style Guide
+---
+
+# Dafny Style Guide
+
+* toc
+{:toc}
+
+This style guide describes recommended coding conventions for Dafny code.
+
+*This documentation is still in progress. Please feel free to add more suggestions.*
+
+## Naming Convention
+Any **variables** are named with `camelCase`.
+```dafny
+var minValue := 1;
+var cipherMessage := "Hello World";
+```
+
+Any **lemmas**, **predicates**, **functions**, **methods**, **classes**, **modules**, **datatypes**, and **newtypes**
+are named with `PascalCase`.
+```dafny
+method FindIndex(arr: seq<int>, k: int)
+  ...
+```
+
+Any static or global **constants** are named with `UPPERCASE_WITH_UNDERSCORES` (a.k.a. SCREAMING_SNAKE_CASE).
+```dafny
+static const MONTHS_IN_A_YEAR := 12
+```
+
+### Method Prefix
+Avoid redundant names when variables or methods are in a class/module.
+In the following example, name the method `ToString` so that the call is just `Integer.ToString(i)`
+rather than `Integer.IntegerToString(i)`; this avoids redundancy with both the module name and the
+formal argument type.
+```dafny
+class Integer {
+
+  // YES
+  method ToString(i: int) returns (s: string)
+    ...
+
+  // NO
+  method IntegerToString(i: int) returns (s: string)
+    ...
+}
+```
+
+## Module names
+
+Library code should be encapsulated in a containing module, likely with submodules.
+The containing module should have a name that is descriptive but also likely to be unique, as top-level modules with the same name cannot be combined in one program.
+Reserve the name `Dafny` for system supplied code.
+
+## Code Layout
+
+### Braces
+Opening braces go on the same line by default.
+```dafny
+module M {
+  ...
+  method Met() {
+    ...
+  }
+}
+```
+In case the method (or function, lemma, etc) signature is too long to fit in one line, or in case the signature has at
+least one specification clause, the opening brace goes on a new line.
+
+```dafny
+module M {
+  ...
+  method Met(i: int) returns (j: int)
+    requires i % 2 == 0
+    ensures j > 10
+  {
+    ...
+  }
+}
+```
+
+This applies to every scope: `module`, `class`, `predicate`, `if`, `while`, and more.
+
+### Imports
+
+By default, import modules without opening them.
+```dafny
+import Coffee
+...
+```
+
+However, if some members of a module are used very frequently, import them using `opened`:
+```dafny
+import opened Donut
+...
+```
+When a file uses two modules and both of them define a method of the same name, do not import them `opened`.
+```dafny
+import MyModule
+import YourModule
+...
+method MyMethod() {
+  MyModule.foo();
+  YourModule.foo();
+}
+```
+
+In this case, if you want to shorten the module name, import the module with a shorthand name.
+```dafny
+import M = MyModuleWithACumbersomeName
+import Y = YourModuleWithACumbersomeName
+...
+method MyMethod() {
+  M.foo();
+  Y.foo();
+}
+```
+
+Common imports, such as `StandardLibrary` and `Native`, should be grouped together, followed by custom module imports
+with a blank line in-between.
+
+```dafny
+import opened StandardLibrary
+import opened Native
+
+import opened Donut
+import Coffee
+```
+
+Although not required, it's recommended to keep the order of `import`s and `include`s alphabetical, except when it
+makes more sense to group them logically.
+
+## Indentation and Line Breaks
+
+### Tabs or Spaces?
+Spaces are preferred over tabs. Tabs should only be used to remain consistent with existing code containing tabs.
+
+Use 2 spaces for each indentation.
+
+### Maximum Character Limit
+Although there is no strict requirement, it is generally recommended to have a maximum of 120 characters per line.
+
+### Newlines
+Put one blank line between sequential **functions**, **methods**, **predicates**, and **lemmas** to increase readability.
+
+End each file with a newline character.
+
+### Functions, Methods, Predicates, and Lemmas
+Every Dafny method has the following signature.
+```dafny
+method {:<attributes>} MethodName(param1: Type, param2: Type) returns (ret: Type)
+  requires P()
+  modifies param2
+  ensures Q()
+  decreases param1
+```
+
+When possible, put `MethodName` and the `returns` statement on the same line, as the keyword `returns` is distinct from
+other method specification clauses, such as `requires`, `modifies`, `ensures`, and `decreases`, which should appear in
+this order. Each method specification clause should be on a separate line, indented.
+
+In case the Method signature is too long, we can break it down.
+```dafny
+method {:<attributes>} MethodName(param1: Type, param2: Type,
+        param3: Type, param4: Type, param5: Type)
+  returns (ret1: Type, ret2: Type, ret3: Type, ret4: Type,
+        ret5: Type)
+  requires P1()
+  requires P2()
+  requires P3()
+  modifies param2
+  modifies param3
+  ensures Q1()
+  ensures Q2()
+  decreases param1
+```
+
+Multiple `requires` or `ensures` can be combined into one:
+```dafny
+requires
+  && P1()
+  && P2()
+  && P3()
+```
+The same rules apply to `function`, `predicate`, and `lemma` definitions.
+
+## Content Conventions
+
+### Order
+
+Functions, predicates, and methods within a file should be sorted topologically, meaning that everything `method M` depends on should be above `M` in the file.
+
+```
+function MyFunction(a: int): int
+{ 
+  ...
+}
+method MyMethod(i: int)
+{
+  ...
+  return MyFunction(i);
+}
+```
+
+### Predicates
+
+Predicates should be used instead of functions that return a `bool` value.
+
+```
+// YES
+predicate Foo()
+{
+  ...
+}
+
+// NO
+function Foo(): bool
+{
+  ...
+}
+```
+
+### Lemmas
+
+When writing inductive proofs, contributors are strongly encouraged to
+make the base case explicit.
+
+```
+// YES
+lemma LemmaMinOfConcat(a: seq<int>, b: seq<int>)
+  requires 0 < |a| && 0 < |b|
+  ensures Min(a+b) <= Min(a)
+  ensures Min(a+b) <= Min(b)
+  ensures Min(a+b) == Min(a) || Min(a+b) == Min(b)
+{
+  if |a| == 1 {
+  } else {
+    assert a[1..] + b == (a + b)[1..];
+    LemmaMinOfConcat(a[1..], b);
+  }
+}
+
+// NO
+lemma LemmaMinOfConcat(a: seq<int>, b: seq<int>)
+  requires 0 < |a| && 0 < |b|
+  ensures Min(a+b) <= Min(a)
+  ensures Min(a+b) <= Min(b)
+  ensures Min(a+b) == Min(a) || Min(a+b) == Min(b)
+{
+  if |a| > 1 {
+    assert a[1..] + b == (a + b)[1..];
+    LemmaMinOfConcat(a[1..], b);
+  }
+}
+```
+
+## Things to Avoid
+
+### Parentheses
+
+In many cases, Dafny does not require parentheses around expressions. Here are some examples.
+
+* If-Else-While Statements
+
+```dafny
+// YES
+var i := 1;
+while i < 10 {
+  ...
+  if 1 < i {
+    ...
+  }
+  ...
+}
+
+// NO
+var i := 1;
+while (i < 10) {
+  ...
+  if (1 < i) {
+    ...
+  }
+  ...
+}
+```
+
+* Statements That Take Expression Arguments
+
+```dafny
+// YES
+assert x < 100;
+print x;
+
+// NO
+assert(x < 100);
+print(x);
+```
+
+* Simple Boolean/Arithmetic Expressions
+
+```dafny
+// YES
+method Collatz(num: nat)
+  decreases *
+{
+  var n := num;
+  while 1 < n
+    decreases *
+  {
+    n := if n % 2 == 0 then n / 2 else n * 3 + 1;
+  }
+}
+
+// NO
+method Collatz(num: nat)
+  decreases *
+{
+  var n := num;
+  while (1 < n) // unnecessary parentheses
+    decreases *
+  {
+    n := if ((n % 2) == 0) then (n / 2) else ((n * 3) + 1); // unnecessary parentheses
+  }
+}
+```
+### Whitespace
+
+Avoid unnecessary whitespace inside expressions.
+
+#### Type Declaration
+A type declaration should have a form of `variableName: variableType`.
+
+```dafny
+// YES
+const one: int := 1
+class {:extern} Util {
+  var {:extern} Exception: System.String
+}
+
+// NO
+const one : int := 1 // unnecessary whitespace
+class {:extern} Util {
+  var {:extern} Exception : System.String // unnecessary whitespace
+}
+```
+
+If the type can be inferred by Dafny, leave it out, unless you think it provides
+useful documentation in the program. So, constant `one` above is better declared as
+```dafny
+const one := 1
+```
+
+#### Function, Method, Predicate, and Lemma Declaration
+The `function`, `method`, `predicate`, and `lemma` definitions should have the form
+`FunctionName(parameterName: parameterType, ...)`.
+
+```dafny
+// YES
+function method Foo<int>(i: int): int
+
+// NO
+function method Foo<int> (i : int) : int // unnecessary whitespace
+```
+
+Avoid too little or too much whitespace that reduces the overall readability.
+
+```dafny
+// YES
+lemma MyLemma<A, B>(x: seq<seq<A>>, y: B) {
+  ...
+}
+
+// NO
+lemma MyLemma <A,B> ( x : seq<seq<A>> , y :B){
+  ...
+}
+```
+
+#### Attributes
+Omit white space between the `:` and the attribute name.
+```dafny
+// YES
+method {:extern} m() { ... }
+
+// NO
+method {: extern} m() { ... }
+```
+
+## Recommendations
+This section describes a few recommendations that can help make code more readable and easy to follow, although not
+strictly enforced.
+
+### Externs
+Try to name them the same in Dafny and the target language (e.g. C#, Java, etc) whenever possible, so that in Dafny we
+only have to write `{:extern}`, not `{:extern "<name>"}`.
+
+### Things to Consider
+Ask these questions before designing / implementing a program in Dafny.
+* Is this variable name / function name `X` a good name? Is its purpose intuitively clear from the name?
+* Does it make sense that this method `M` is in module `X`? Shouldn't it be in module `Y` instead?
+* Does the definition `X` belong to the file `Y.dfy`?
+* Is `X.dfy` a good filename, that is, is its intended use clear from the name?
+
diff --git a/v4.10.0/VerificationOptimization/VerificationOptimization.md b/v4.10.0/VerificationOptimization/VerificationOptimization.md
new file mode 100644
index 0000000..c38198e
--- /dev/null
+++ b/v4.10.0/VerificationOptimization/VerificationOptimization.md
@@ -0,0 +1,648 @@
+---
+title: Verification Optimization
+---
+
+# Overview
+
+Dafny verifies your program using a type of theorem prover known as a Satisfiability Modulo Theories (SMT) solver. More specifically, it uses the [Z3](https://github.com/Z3Prover/z3) solver. In many cases, it's possible to state only the final properties you want your program to have, with annotations such as `requires` and `ensures` clauses, and let the prover do the rest for you, automatically.
+
+In other cases, however, the prover can need help. It may be that it's unable to prove a particular goal, it may be that it takes so long to prove the goal that it slows down your development cycle, or it may be that the program successfully verifies one time but fails or times out after a small change to the program, a change in the Dafny version being used, or even a change in platform.
+
+In all of these cases, the general solution strategy is the same. Although we hope that most Dafny users will not need to know much about the way Dafny's verification goals are constructed or the way the SMT solver works, there are a few high-level concepts that can be very helpful in getting verification to succeed.
+
+The most fundamental of these is that the solver works best when it has exactly the information it needs available to arrive at a particular conclusion. If key facts are missing, verification will certainly fail. If too many irrelevant facts are available in the scope of a particular goal, the solver can get lost pursuing fruitless chains of reasoning, leading to Dafny being unable prove the goal, timing out, or exhibiting a combination of verification success, timeout, and failure to prove the goal as small changes occur.
+
+The second key concept is that certain types of facts are more difficult to reason about. These proofs can be helped by isolating the reasoning about such facts to small portions of your program and providing extra detail to help the prover when reasoning about those isolated instances. A later section describes some of the more difficult types of reasoning and provides some techniques for dealing with each.
+
+Overall, this document provides a conceptual framework and examples of a number of concrete techniques for making verification in Dafny more likely to succeed, and to predictably succeed over time as the program and the Dafny implementation evolve. Fortunately, most of these techniques are closely connected to good software engineering principles such as abstraction and information hiding, and are therefore likely to make it easier for you to fully understand your program, and why it's correct, as well.
+
+At a high level, understanding how to optimize verification requires understanding a few things:
+
+* what Dafny is attempting to prove, and what information is available in constructing a particular verification goal;
+* which individual goals in the verification of a definition are difficult;
+* what general types of verification tend to be difficult;
+* how to provide additional hints to expand the information available for a specific goal; and
+* how hide information to restrict the information available for a specific goal.
+
+# The facts Dafny deals with
+
+To ensure that the verifier has exactly the right amount of information available, it'll help to review exactly what information is in scope at a particular point in a Dafny program and what goals the verifier attempts to prove.
+
+First, Dafny attempts to prove that several predicates are always true, including the following.
+
+* The expression in every `assert` statement, at the point where it occurs.
+
+* The well-formedness condition of any partial operation, including array indexing and division, at the point where it occurs.
+
+* Every `invariant` clause, before the loop it is associated with it begins, and at the end of each iteration of the loop body.
+
+* Every `requires` clause of a `function`, `lemma`, or `method`, at the call site.
+
+* Every `ensures` clause of a `function`, `lemma`, or `method`, right before returning.
+
+A complete list is available [here](../DafnyRef/DafnyRef#sec-assertion-batches).
+
+Although only one of these uses the `assert` keyword, we use the term _assertion_ to describe each of these verification goals. A collection of assertions, taken together, is called an _assertion batch_.
+
+When trying to prove each of these statements, Dafny assumes the following predicates to be true, making them available as facts for the verifier to use. These include the following.
+
+* Each `requires` clause of a Dafny `function`, `lemma`, or `method`, is known, throughout the body, to hold at the beginning of the body.
+
+* Each `invariant` clause of a loop is known, throughout its loop body, to hold at the beginning of the body.
+
+* Each `ensures` clause of a called `function`, `lemma`, or `method` is known, for the remainder of the body calling it, to hold at the point just after a call site.
+
+* The expression in each `assume` statement is known in subsequent code to hold at the point of the statement.
+
+* The expression in each `assert` statement is known in subsequent code to hold at the point of the statement.
+
+* The well-formedness condition of any partial operation, including array indexing and division, in subsequent code.
+
+* The branch condition for each branch, within the body of that branch.
+
+In all of the above cases, "subsequent code" extends to the end of the current definition, except in the case of the `assert P by S` construct where it extends to the end of the `by` block. More detail on this construct appears later.
+
+Because almost all of these facts are available in a limited scope, sometimes the body of a definition and sometimes specific blocks within that body, the structure of the program has a significant impact on the set of facts the solver considers when attempting verification. Restricting this set, by careful consideration of program structure, can significantly impact the performance and predictability of verification.
+
+By default, whenever Dafny attempts to verify the correctness of a specific definition, it combines every assertion within that definition into a single assertion batch. This tends to provide very good performance in the common case, but sometimes it can slow down verification and make it difficult to identify which factors contribute to making the verification slow. To help identify the difficult assertions in a batch, and sometimes to speed up verification overall, it is possible to break verification up into a number of assertion batches, each containing a subset of all the assertions in the definition.
+
+# Identifying difficult assertions
+
+When Dafny fails to prove an assertion, it will point out the location of that assertion in the program and describe what it was trying to prove at that point.
+
+However, when verification times out, Dafny will (by default) tell you only which definition timed out. This is similarly true in the case where verification takes longer to complete than is practical for your development cycle. To get more fine-grained information about exactly which assertion was difficult to prove, it's possible to tell Dafny to _split_ the verification process into several batches, each of which can succeed, fail, or time out independently. This also makes independent statistics about resource use available for each batch.
+
+Dafny provides several attributes that tell it to verify certain assertions separately, rather than verifying everything about the correctness of a particular definition in one query to the solver.
+
+* The [`{:split_here}`](../DafnyRef/DafnyRef#sec-split_here) attribute on an `assert` statement tells Dafny to verify all assertions leading to this point in one batch and all assertions after this point (or up to the next `{:split_here}`, if there is one) in another batch.
+
+* The [`{:focus}`](../DafnyRef/DafnyRef#sec-focus) attribute on an `assert` or `assume` statement tells Dafny to verify all assertions in the containing block, and everything that _always_ follows it, in one batch, and the rest of the definition in another batch (potentially subject to further splitting due to other occurrences of `{:focus}`).
+
+* The [`{:isolate_assertions}`](../DafnyRef/DafnyRef#sec-isolate_assertions) attribute on a definition tells Dafny to verify each assertion in that definition in its own batch. You can think of this as being similar to having many `{:focus}` or `{:split_here}` occurrences, including on assertions that arise implicitly, such as preconditions of calls or side conditions on partial operations.
+
+We recommend using `{:isolate_assertions}` over either of the other attributes under most circumstances.  It can also be specified globally, applying to all definitions, with `dafny verify --isolate-assertions`. If you're using the legacy options without top-level commands, use the `/vcsSplitOnEveryAssert` flag, instead.
+
+When Dafny verifies a definition in smaller batches, the VS Code plugin will display performance statistics for each batch when you hover over a particular definition.
+
+Consider the following method, which proves a few simple arithmetic facts.
+
+<!-- %check-verify -->
+```dafny
+const TWO_TO_THE_32:  int := 0x1_00000000
+newtype uint32 = x: int | 0 <= x < TWO_TO_THE_32
+
+method {:isolate_assertions} ProveSomeArithmetic(x: uint32) {
+  assert forall y :: y * y != 115249; // 115249 is prime
+  assert (x as bv32) as uint32 <= x;
+  assert x < 65535 ==> x * 2 == x + x;
+}
+```
+
+Hovering over the name of the definition will show you performance statistics for all assertion batches.
+
+![image](hover-method.png)
+
+Although the time taken to complete verification is ultimately the factor that most impacts the development cycle, this time can depend on CPU frequency scaling, other processes, etc., so Z3 provides a separate measurement of verification difficulty known as a _resource count_. When running the same build of Z3 on the same platform multiple times, the resource count is deterministic, unlike time. Therefore, the IDE displays performance information in terms of Resource Units (RU).
+
+Hovering over a specific assertion will show you performance statistics for the specific batch containing that assertion (and, in the case of `{:isolate_assertions}`, only that assertion).
+
+![image](hover-assertion.png)
+
+Statistics are also available using command-line options, in formats optimized for either human or machine consumption. The `--log-format text` option to `dafny verify`, or the `/verificationLogger:text` old-style option, produces text to standard output. A snippet of the output for the method above might look something like this.
+
+<!-- %no-check -->
+```text
+...
+  Assertion batch 4:
+    Outcome: Valid
+    Duration: 00:00:00.1344230
+    Resource count: 63182
+
+    Assertions:
+      ProveSomeArithmetic.dfy(6,22): result of operation never violates newtype constraints for 'uint32'
+
+  Assertion batch 5:
+    Outcome: Valid
+    Duration: 00:00:00.1359990
+    Resource count: 169237
+
+    Assertions:
+      ProveSomeArithmetic.dfy(6,32): assertion always holds
+
+  Assertion batch 6:
+    Outcome: Valid
+    Duration: 00:00:00.0844010
+    Resource count: 63494
+
+    Assertions:
+      ProveSomeArithmetic.dfy(7,14): result of operation never violates newtype constraints for 'uint32'
+...
+```
+
+The `--log-format csv` option to `dafny verify`, or the `/verificationLogger:csv` old-style option, produces output in a file in CSV format, and prints the name of the file. For the above method, this file might look something like the following.
+
+<!-- %no-check -->
+```text
+TestResult.DisplayName,TestResult.Outcome,TestResult.Duration,TestResult.ResourceCount
+ProveSomeArithmetic (correctness) (assertion batch 1),Passed,00:00:00.1880600,50027
+ProveSomeArithmetic (correctness) (assertion batch 2),Passed,00:00:00.1640300,127152
+ProveSomeArithmetic (correctness) (assertion batch 3),Passed,00:00:00.1389720,59361
+ProveSomeArithmetic (correctness) (assertion batch 4),Passed,00:00:00.1296620,63182
+ProveSomeArithmetic (correctness) (assertion batch 5),Passed,00:00:00.1232840,169237
+ProveSomeArithmetic (correctness) (assertion batch 6),Passed,00:00:00.0937380,63494
+ProveSomeArithmetic (correctness) (assertion batch 10),Passed,00:00:00.0774500,66869
+ProveSomeArithmetic (correctness) (assertion batch 9),Passed,00:00:00.0708400,67341
+ProveSomeArithmetic (correctness) (assertion batch 8),Passed,00:00:00.0644100,64792
+ProveSomeArithmetic (correctness) (assertion batch 7),Passed,00:00:00.0622940,65952
+```
+
+In all of these output formats, you can see that batch 5, corresponding to the assertion about conversion to and from bit vectors, is the most expensive to prove. Later sections will go into why this is the case, and how to make verification involving bit vectors more straightforward.
+
+# Identifying highly variable assertions
+
+Sometimes, verifying a particular assertion succeeds initially but fails after a small change. We refer to this phenomenon as _verification variability_. The techniques in this document can help to fix verification when it occurs. However, sometimes it would be more helpful to predict when verification of your program is likely to be highly variable, and adapt it proactively, when you can intentionally set aside time, rather than needing to fix it retroactively.
+
+Fundamentally, one key source of this variability comes from the fact that SMT solvers must make a sequence of initially arbitrary decisions to search through the space of possible proofs. To help explore this large space more effectively, they often use randomness to help decide between the arbitrary choices. In other cases, choices that are fundamentally arbitrary are made deterministically but in a way that is dependent on factors such as ordering within a data structure. The ordering of these internal data structures can be influenced by things like the names of definitions, the order in which they occur in a file, and so on.
+
+Dafny can help you identify when the verification of a particular assertion may begin to fail after small modifications if you use the `measure-complexity` command. When using this command, Dafny attempts to verify each definition in your program multiple times, each time with a different random seed. This seed is used to permute the names and ordering used in formulas sent to the solver, and then is given to the solver to use in making its own random decisions internally.
+
+If the time or resource count taken to verify a given assertion batch is higher than most, this is frequently predictive of later failure after small modifications. Similarly, if this cost varies widely depending on the random seed, it can also point to high underlying complexity.
+
+To measure the variation in resource use for the method from the previous section, on 10 different random seeds, we could use the following command.
+
+```sh
+$ dafny measure-complexity ProveSomeArithmetic.dfy --log-format csv --iterations 10
+```
+
+This will produce a CSV file and print out its name, as in the previous `dafny verify` case. With the `measure-complexity` command, however, each assertion batch will appear multiple times in the file. Given a CSV report containing the results of multiple iterations of verification, the [`dafny-reportgenerator`](https://github.com/dafny-lang/dafny-reportgenerator) tool can perform statistical analysis on this data, and can even be used to fail a build if the statistics exceed specified bounds.
+
+We generally recommend keeping the coefficient of variation (a.k.a. normalized standard deviation) of the resource count under 20%, and setting some (generally project-dependent) limit on total resource count. This can be enforced with the following command.
+
+```sh
+$ dafny-reportgenerator summarize-csv-results --max-resource-cv-pct 20 --max-resource-count 200000 some-file.csv
+```
+
+On CSV file generated from the above example, you might get output like the following.
+
+<!-- %no-check -->
+```text
+...
+Some results have a resource coefficient of variance over the configured limit of 0.20:
+
+ProveSomeArithmetic (correctness) (assertion batch 5): resource coefficient of variance = 0.47275460664050895
+
+Errors occurred: see above for details.
+```
+
+Here we can see that the assertion identified as the most expensive in the previous section also has the highest variability. The exit code from `dafny-reportgenerator` will be `1` in this case, since `0.47` is higher than `0.20`, so it can be used to fail a build or CI job.
+
+# Types of assertion that can be difficult to verify
+
+Several specific types of operation may make Dafny programs particularly difficult to verify. Verifying assertions that involve these operations can be very slow, or even impossible, without additional help in the form of intermediate assertions or lemmas.
+
+## Non-linear arithmetic
+
+Non-linear arithmetic in Dafny generally takes the form of multiplication operations where both sides are variables or any instance of the division or modulus operations. Proving arbitrary facts about operations of this form is undecidable, so the solver must use incomplete heuristics, and frequently gives up.
+
+Fortunately, Dafny gives you the power to prove complex facts about non-linear arithmetic by building on slightly less complex facts, and so on, down to the point where the solver can prove the smallest building blocks automatically.
+
+There are a number of examples in the Dafny [`libraries`](https://github.com/dafny-lang/libraries) repository that do just this. For example, consider the following sequence of lemmas that builds up from basic properties about multiplication all the way to basic properties about exponentiation.
+
+<!-- %check-verify -->
+```dafny
+lemma LemmaMulBasics(x: int)
+  ensures 0 * x == 0
+  ensures x * 0 == 0
+  ensures 1 * x == x
+  ensures x * 1 == x
+{
+}
+
+opaque function Pow(b: int, e: nat): int
+  decreases e
+{
+  if e == 0 then
+    1
+  else
+    b * Pow(b, e - 1)
+}
+
+lemma LemmaPow0(b: int)
+  ensures Pow(b, 0) == 1
+{
+  reveal Pow();
+}
+
+lemma LemmaPow1(b: int)
+  ensures Pow(b, 1) == b
+{
+  calc {
+    Pow(b, 1);
+    { reveal Pow(); }
+    b * Pow(b, 0);
+    { LemmaPow0(b); }
+    b * 1;
+    { LemmaMulBasics(b); }
+    b;
+  }
+}
+```
+
+All of these lemmas can be proved and used with the `--disable-nonlinear-arithmetic` flag enabled. These lemmas also demonstrate several techniques that we'll describe in more detail later: lots of small lemmas, opaque functions, and [`calc`](../DafnyRef/DafnyRef#sec-calc-statement) statements.
+
+If you have a difficult non-linear fact to prove, and proving it from the ground up is infeasible, it is possible, as a last resort, to adjust how Z3 attempts to prove arithmetic formulas. It contains a parameter, `smt.arith.solver`, that allows you to choose between one of six different arithmetic decision procedures. Dafny has historically used solver "2", and continues to do so by default. This peforms most effectively on the corpus of examples that we have experimented with. However, solver "6", which is the default for Z3 when not being invoked from Dafny, performs better at non-linear arithmetic. Currently, it's possible to choose this solver using the Dafny flag `--boogie /proverOpt:O:smt.arith.solver=6` (or just `/proverOpt:O:smt.arith.solver=6`, when not using top-level commands).
+
+## Relationships between integers and bit vectors
+
+Dafny contains two distinct ways to describe what might be stored in a machine word in other programming languages.
+
+* The `int` type denotes the unbounded mathematical integers. A newtype based on `int` can be used to represent the subset of integers that can be stored in a machine word of width _n_.
+
+* The `bv`_n_ type denotes bit vectors of width _n_, which can be used to represent a subset of $2^n$ of the integers.
+
+Mathematical operations such as addition and multiplication are available for both types. Bit-wise logical and shifting operations are only available for bit vectors. The `as` keyword can be used to convert between integers and bit vectors, assuming that Dafny can prove that all possible values of the original type can be represented in the new type. However, this conversion is described, at the logical level used for verification, as a complex non-linear equation. Therefore, reasoning in which Dafny must consider the relationship between facts about a value represented as an integer and other facts about that value represented as a bit vector will typically be harder than when reasoning purely about integers or purely about bit vectors.
+
+For example, consider the following three lemmas.
+
+<!-- %check-verify -->
+```dafny
+const TWO_TO_THE_32:  int := 0x1_00000000
+newtype uint32 = x: int | 0 <= x < TWO_TO_THE_32
+
+lemma DropLSBLessBV(x: bv32)
+  ensures (x & 0xFFFFFFFE) <= x
+{}
+
+lemma DropLSBLessAsBV(x: uint32)
+  ensures ((x as bv32) & 0xFFFFFFFE) <= x as bv32
+{}
+
+lemma DropLSBLessIntBVLemma(x: uint32)
+  ensures ((x as bv32) & 0xFFFFFFFE) as uint32 <= x
+{
+  assume false;
+}
+```
+
+These all show that clearing the least significant bit of a 32-bit word results in a value less than or equal to the original. The first lemma operates purely on bit vectors, whereas the second starts with an integer constrained to be in the range representable in a 32-bit integer. Although Dafny is able to prove both both, proving the latter, with Dafny 4.0.0 and Z3 4.12.1, takes around 7x the resource count of the former (and about twice as much time). The third requires reasoning about the relationship between the result of a bit vector operation and its value as an integer, and Dafny is unable to prove this variant at all (hence the `assume false` in the body of the lemma, to allow automatic checking of the examples in this document to succeed).
+
+A wiki page providing more detail on optimizing bit-vector verification is available [here](https://github.com/dafny-lang/dafny/wiki/Bit-Vector-Cookbook).
+
+## Quantified statements
+
+Dafny allows arbitrary use of quantifiers in logical formulas. It's possible to, for example, write `forall x: int :: exists y: int :: y > x`. From a technical standpoint, this means it allows you to write arbitrary statements in first-order logic. However, the problem of deciding the validity of a given statement in first-order logic is undecidable. And, in practice, heavy use of quantifiers, while it is often the most natural way to describe a program, can lead solvers such as Z3 to time out or give up when trying to verify your program.
+
+Typically the solution is not to avoid quantifiers altogether. Dafny can be very good at reasoning about them in resticted contexts. Instead, it tends to be good to follow two general principles:
+
+* Give Dafny help instantiating quantifiers when using quantified statements to prove other things. This will typically involve intermediate assertions, as described in the next section.
+
+* Restrict the scope of quantifiers as much as possible. Perhaps use them in certain definitions, but then use the fully-quantified versions of those definitions only to prove less-heavily-quantified facts you may use later. Or encapsulate quantified formulas in opaque predicates that are usually used just by name and only occasionally revealed. Later sections will describe these techniques in more detail.
+
+# Adding intermediate steps
+
+For verification to succeed, the verifier must have enough information available. For verification to be efficient and predictable, it must not have too much information available, but it also helps to not require it to make overly large deductive leaps. For verification to be maintainable in the long term, therefore, it's important to find the right balance.
+
+In many cases, this can be done in two phases.
+
+* First, determine a sufficient set of facts to allow a goal to be verified. Once it has passed the verifier once, you can be confident that the goal is valid, and that it's possible to prove its validity using the facts at hand.
+
+* Second, trim down the set of irrelevant facts available, or add intermediate steps in an isolated context, to optimize the verification process.
+
+We'll start by focusing on how to add information to allow verification to go through. Some of these steps can also speed up verification that already succeeds, but they can also slow it down. So, after we describe how to add information to the verification proces, we continue by showing how to isolate the information needed to verify a particular fact, hiding it in the context of verifying other facts.
+
+## Inline assertions
+
+Sometimes, when you know `A` and want to prove `C`, Dafny is unable to make the logical leap directly. In these cases, it's often the case that there's some predicate `B` for which Dafny can prove both `A ==> B` and `B ==> C` automatically. When that's true, inserting an `assert B` statement in the right place can allow verification to go through.
+
+This example, modified from some code in the `libraries` repository, illustrates the case. It shows that if a given binary operator (passed in as a function value) has a left unit value and a right unit value that those two unit values are equal to each other.
+
+<!-- %check-verify -->
+```dafny
+ghost predicate IsLeftUnital<T(!new)>(bop: (T, T) -> T, unit: T) {
+  forall x :: bop(unit, x) == x
+}
+
+ghost predicate IsRightUnital<T(!new)>(bop: (T, T) -> T, unit: T) {
+  forall x :: bop(x, unit) == x
+}
+
+ghost predicate IsUnital<T(!new)>(bop: (T, T) -> T, unit: T) {
+  && IsLeftUnital(bop, unit)
+  && IsRightUnital(bop, unit)
+}
+
+lemma UnitIsUnique<T(!new)>(bop: (T, T) -> T, unit1: T, unit2: T)
+  requires IsUnital(bop, unit1)
+  requires IsUnital(bop, unit2)
+  ensures unit1 == unit2
+{
+    assert unit1 == bop(unit1, unit2);
+}
+```
+
+Here, `UnitIsUnique` couldn't be proved automatically (with a `{  }` body), but succeeds easily with the intermediate assertion.
+
+## Calculation statements
+
+When there are many intermediate assertions needed to get from `A` to `C`, it can become messy and difficult-to-read if they exist only as a sequence of `assert` statements. Instead, it's possible to use a [`calc`](../DafnyRef/DafnyRef#sec-calc-statement) statement to chain together many implications, or other relationships, between a starting and ending fact. The version of `UnitIsUnique` that exists in the `libraries` repository is actually proved as follows.
+
+<!-- %no-check -->
+```dafny
+lemma UnitIsUnique<T(!new)>(bop: (T, T) -> T, unit1: T, unit2: T)
+  requires IsUnital(bop, unit1)
+  requires IsUnital(bop, unit2)
+  ensures unit1 == unit2
+{
+  calc {
+    unit1;
+  == { assert IsRightUnital(bop, unit2); }
+    bop(unit1, unit2);
+  == { assert IsLeftUnital(bop, unit1); }
+    unit2;
+  }
+}
+
+```
+
+Here, the `calc` block establishes a chain of equalities, `unit1 == bop(unit1, unit2) == unit2` by using an intermediate assertion to justify each step. This is more information than Dafny strictly needs, but can make the code more readable and the verification less variable.
+
+## Instantiating universally quantified formulas
+
+A universally quantified formula tells you that a certain fact is true for all values of a variable in a given domain. In many cases, however, you may know more about what specific instances need to be proved.
+
+
+Dafny can often bridge the gap between a universally quantified fact and an unquantified fact needed to make progress. However, it needs to do much less work if you can describe specific instantiations of interest.
+
+For example, an old commit in the `libraries` repository contains the following snippet:
+<!-- %no-check -->
+``` dafny
+lemma LemmaMulEqualityAuto()
+  ensures forall x: int, y: int, z: int {:trigger x * z, y * z } :: x == y ==> x * z == y * z
+
+...
+
+LemmaMulEqualityAuto();
+assert sum * pow == (z + cout * BASE()) * pow;
+```
+
+The assertion helps Dafny figure out how to instantiate the postcondition of `LemmaMulEqualityAuto`, making the verification process more efficient.
+
+As we'll describe in more detail later, however, it can sometimes be better to avoid the quantifiers in the first place than to help Dafny instantiate them.
+
+# Hiding information
+
+There are several ways to structure a Dafny program to limit the number of facts that are available in scope at any particular point. First we'll go over a few that can be applied as small changes to existing programs, and then we'll cover some that are better applied early in the development process (though they can be applied to existing programs with more significant refactoring).
+
+## Local proofs
+
+On the other hand, and more frequently in practice, a sequence of assertions will build on each other, constructing a path from some initial fact to a final conclusion. If the initial assertions exist only to prove the final one, and they are not relevant for any other proofs, they can be hidden with the `assert ... by { ... }` syntax.
+
+For example, say you have the following code.
+
+<!-- %no-check -->
+```dafny
+assert A; // Something readily provable on its own
+assert B; // Something readily provable on its own
+assert C; // The conclusion you really care about, which is easier to to prove given knowledge of A and B
+```
+
+You can restructure this as follows.
+
+<!-- %no-check -->
+```dafny
+assert C by {
+  assert A;
+  assert B;
+}
+```
+
+This makes `C` visible in subsequent code, but hides `A` and `B` except when proving `C`.
+
+## Proofs in lemmas
+
+If you find yourself asserting many things in sequence, including in a calculation block, consider moving that proof to a separate lemma and calling it at the point where you need the final conclusion. Consider the same example from the previous section.
+
+<!-- %no-check -->
+```dafny
+assert C by {
+  assert A;
+  assert B;
+}
+
+```
+
+This can be moved to a separate lemma.
+
+<!-- %no-check -->
+```dafny
+lemma CIsTrue()
+  ensures C
+{
+  assert A;
+  assert B;
+}
+```
+
+Then `CIsTrue` can be called from any location where you need to know `C`. In practice, `CIsTrue` will probably need to take parameters, to account for any free variables in `C`, and those must then be passed in at any call site. This can make proofs somewhat more verbose, at a local level, but if done carefully it can reduce the total size and complexity of a program.
+
+## Opaque definitions
+
+By default, the body of a `function` definition is available to the verifier in any place where that function is called. The bodies of any functions called from this initial function are also available. Stated differently, Dafny inlines function bodies aggressively during verification. There are two exceptions to this.
+
+* The body of a function (or predicate) declared with the `opaque` keyword is, by default, _not_ available to the verifier. Only its declared contract is visible. In any context where information about the body is necessary to allow verification to complete, it can be made available with `reveal F();` for a function named `F`.
+
+* The body of a recursive function is normally available to depth 2 when it appears in an asserted predicate or depth 1 when it appears in an assumed predicate. That is, the body of the function and (in the assertion case) a second inlining of its body at each recursive call site are available to the verifier. The [`{:fuel n}`](../DafnyRef/DafnyRef#sec-fuel) annotation will increase the depth to which recursively-called bodies are exposed.
+
+Aggressive inlining is convenient in many cases. It can allow Dafny to prove quite complex properties completely automatically. However, it can also quickly lead to feeding an enormous amount of information to the verifier, most of it likely irrelevant to the goal it is trying to prove.
+
+Therefore, it can be valuable to think carefully about which aspects of a function need to be known in each use case. If it's possible to structure your program so that each caller only needs information about certain aspects of its behavior, it can be valuable to do the following:
+
+* Add the `opaque` keyword to the function definition.
+
+* [Reveal](../DafnyRef/DafnyRef#sec-reveal-statement) the definition only in the cases where its body is necessary.
+
+* Potentially prove additional lemmas about the function, each of which may reveal the function during its own proof but allow its callers to leave the function body hidden.
+
+The following is an in-depth example of using this technique.
+
+<!-- %check-verify -->
+```dafny
+datatype URL = URL(scheme: string, host: string, path: string) {
+  opaque predicate Valid() {
+    scheme in { "http", "https", "ftp", "gopher", "mailto", "file" }
+  }
+
+  opaque function ToString(): string
+    requires Valid()
+  {
+    scheme + "://" + host + "/" + path
+  }
+
+  static function Parse(text: string): (url: URL)
+    ensures url.Valid()
+}
+
+function CanonicalURL(urlString: string): string {
+  var url := URL.Parse(urlString);
+  url.ToString()
+}
+```
+
+This code declares a data type to represent a (simplistic) URL, and includes a `Valid` predicate that describes what it means to be a valid URL. The `ToString` function will convert a valid URL, and the `Parse` function (unimplemented for now) constructs a valid URL (putting aside the possibility of a parsing failure for the moment). Using this data type, the `CanonicalURL` function turns a URL string into its canonical equivalent. From the point of view of the implementation of this function, it doesn't matter what `Valid` means. It only matters that `Parse` returns a valid URL and `ToString` requires one. When `Valid` is opaque, Dafny ignores its definition by default, simplifying the reasoning process. It's easy to conclude `url.Valid()` from `url.Valid()` without knowing what `Valid` means.
+
+In this case, no `reveal` statements or auxiliary lemmas are necessary.
+
+Although the difference is small in this simple case, we can already see a performance impact of making `Valid` opaque. In one example run, using Dafny 4.0.0 and Z3 4.12.1, the code above verifies using 83911 RU (taking 0.282s). An equivalent example, in which `Valid` and `ToString` are not opaque, takes 87755 RU (and 0.331s). For larger programs with larger functions, especially with deep function call stacks, the difference can become much larger.
+
+In the context of larger programs, you can enforce opacity even more strongly by using export sets. If you write lemmas declaring the key properties of each of your functions that are relevant for client code, you put those functions and lemmas in the `provides` clause of your module, and very little if anything in the `reveals` clause. If you do this, it's important that you provide lemmas covering all the important behavior of your module. But, if you do, then it becomes easier for developers to write client code that uses your module, and easier for Dafny to prove things about that client code.
+
+Making definitions opaque can be particularly important when they are recursive or involve quantifiers. Because of the considerations around quantifiers described earlier, hiding quantified formulas until they're needed can be very important for improving performance and reducing variability.
+
+## Opaque specification clauses
+
+In addition to top-level definitions, assertions, preconditions, postconditions, and loop invariants can be made opaque. If you add a label to any instance of one of these contstructs, it will be hidden by default and only available when explicitly revealed.
+
+For example, consider the following method with an opaque precondition.
+
+<!-- %check-verify -->
+```dafny
+method OpaquePrecondition(x: int) returns (r: int)
+  requires P: x > 0
+  ensures r > 0
+{
+  r := x + 1;
+  assert r > 0 by { reveal P; }
+}
+```
+
+## Subsumption
+
+The default behavior of an `assert` statement is to instruct the verifier to prove that a predicate is always true and then to assume that same predicate is true in later portions of the code, making it available to help prove other facts. This is called _subsumption_.
+
+On occasion, however, you may have an `assert` statement that exists to show a desired condition for its own sake, and that does not help prove later facts. This might occur during the intermediate stages of the development of a verified program in which you want to establish some intermediate facts locally, which you believe to be indicative of correctness, but don't yet want to expand these into fully-fledged contracts on your definitions that could be used to establish a more global notion of correctness.
+
+In this case, you can [disable subsumption](../DafnyRef/DafnyRef#1133-subsumption-n), using `assert {:subsumption 0} P`, to reduce the number of facts in scope in subsequent code. This is similar to `assert L: P`, except that in the case of a labeled assertion the predicate can be selectively revealed later. If you know you'll _never_ need `P`, rather than _usually_ not needing it, subsumption could be a better option.
+
+## Avoiding quantifiers
+
+Dafny allows you to prove both quantified and unquantified version of a fact. And, in some cases, the quantified version can be more convenient, allowing you to prove things with fewer steps, and with less need to keep track of details. For example, the Dafny `libraries` repository contains a definition that looks roughly like the following (with a few simplifications).
+
+<!-- %no-check -->
+```dafny
+lemma LemmaMulAuto()
+  ensures forall x:int, y:int :: x * y == y * x
+  ensures forall x:int, y:int, z:int :: (x + y) * z == x * z + y * z
+  ensures forall x:int, y:int, z:int :: (x - y) * z == x * z - y * z
+{
+...
+}
+
+lemma LemmaMulIsDistributiveAddOtherWay(x: int, y: int, z: int)
+  ensures (y + z) * x == y * x + z * x
+{
+  LemmaMulAuto();
+}
+```
+
+However, although these proofs are very succinct, they require the verifier to do more work. If you encounter cases where this leads to verification failures, it can often help to prove more specific instances.
+
+One particular pattern that works well when creating general-purpose lemmas proving universal properties is to prove a parameterized version first and then use that to prove the universal version. Then, clients of the lemma can choose one or the other.
+
+For example, consider the following two lemmas taken from the `libraries` repository.
+
+<!-- %check-verify -->
+```dafny
+lemma LemmaMulEquality(x: int, y: int, z: int)
+  requires x == y
+  ensures x * z == y * z
+{}
+
+lemma LemmaMulEqualityAuto()
+  ensures forall x: int, y: int, z: int :: x == y ==> x * z == y * z
+{
+  forall (x: int, y: int, z: int | x == y)
+    ensures x * z == y * z
+  {
+    LemmaMulEquality(x, y, z);
+  }
+}
+```
+
+There was another instance of code in the repository where verification began to fail after upgrading the version of Z3 included with Dafny. That code originally used `LemmaMulEqualityAuto`. We [updated it](https://github.com/dafny-lang/libraries/blob/7c386fa0b4a267715f9bd49948d1af68e1631e6b/src/dafny/Collections/LittleEndianNat.dfy#L532) to call `LemmaMulEquality` with the appropriate parameters and verification reliably succeeded.
+
+In general, creating and using explicit lemmas like `LemmaMulEquality`, and skipping lemmas like `LemmaMulEqualityAuto` altogether, tends to lead to code with less verification variability.
+
+## Adding triggers
+
+If you can't avoid the use of quantifiers, careful use of _triggers_ can help reduce the amount of work Dafny needs to do to benefit from the information in a quantified formula. The original version of the `LemmaMulEqualityAuto` lemma in the above looks like the following.
+
+<!-- %check-verify -->
+```dafny
+lemma LemmaMulEquality(x: int, y: int, z: int)
+  requires x == y
+  ensures x * z == y * z
+{}
+
+lemma LemmaMulEqualityAuto()
+  ensures forall x: int, y: int, z: int {:trigger x * z, y * z } :: x == y ==> x * z == y * z
+{
+  forall (x: int, y: int, z: int | x == y)
+    ensures x * z == y * z
+  {
+    LemmaMulEquality(x, y, z);
+  }
+}
+```
+
+The [`{:trigger}`](../DafnyRef/DafnyRef#sec-trigger) annotation tells it to only instantiate the formula in the postcondition when the solver sees two existing formulas, `x * z` and `y * z`. That is, if it sees two multiplications in which the right-hand sides are the same.
+
+Adding an explicit trigger annotation is generally a last resort, however, because Dafny attempts to infer what triggers would be useful and typically comes up with an effective set. The need for manually-specified triggers often suggests that code could be refactored into a larger number of small, separate definitions, for which Dafny will then infer exactly the triggers you need.
+
+## Smaller, more isolated definitions
+
+As a general rule, designing a program from the start so that it can be broken into small pieces with clearly-defined interfaces is helpful for human understanding, flexibility, maintenance, and ease of verification. More specific instances of this include the following.
+
+* Break large functions into smaller functions, especially when they're ghost functions, and make at least some of them opaque. I often consider a ghost function of more than a handful of lines to be a bad code smell. There are exceptions where larger functions are necessary or are the most straightforward alternative, though, such as when handling all of the many cases of a complex algebraic data type.
+
+* Prove lemmas about functions rather than having numerous or complex postconditions. The individual lemmas can then be invoked only when needed, and other facts that are true but irrelevant will not bog down the solver.
+
+* Break methods up into smaller pieces, as well. Because methods are always opaque, this will, in many cases, require adding a contract to each broken-out method. To make this more tractable, consider abstracting the concepts used in those contracts into separate functions, some of which may be opaque.
+
+# Verification fine-tuning
+
+## Conjunction vs. Nested ifs
+
+We have witnessed cases where the following code:
+```dafny
+    if (a && b) {
+        assert true;
+    }
+```
+verifies slower than
+```dafny
+    if (a) {
+        if (b) {
+            assert true;
+        }
+    }
+```
+This is because the well-formedness of `&& b` adds an extra proof obligation, which is empty in this case but not trimmed, so there is an extra `if (a) {}` in the encoding.
+Therefore, for verification performance, the nested ifs _could_ verify faster, and we have witnessed one case where it does. In other cases, this difference in translation might trigger butterfly effects and uncover brittleness.
+
+# Summary
+
+When you're dealing with a program that exhibits high verification variability, or simply slow or unsuccessful verification, careful encapsulation and information hiding combined with hints to add information in the context of difficult constructs is frequently the best solution. Breaking one large definition with extensive contracts down into several, smaller definitions, each with simpler contracts, can be very valuable. Within each smaller definition, a few internal, locally-encapsulated hints can help the prover make effective progress on goals it might be unable to prove in conjunction with other code.
+
+Some of the key concrete techniques to limit the scope of each verification goal include:
+* Making functions and predicates `opaque` when possible.
+* Moving a sequence of assertions that build on each other into an `assert P by { ... }` block, where `P` is the final conclusion you want to establish.
+* Making contract elements and assertions opaque, using labels, when you can't conveniently abstract their contents into separate definitions.
+* Avoiding quantifiers when possible, and encapsulating them in opaque definitions when they can't be avoided.
+* Using additional parameters to lemmas instead of quantified postconditions.
+* Separating reasoning about difficult-to-combine data types such as integers and bit vectors.
+
+Within each smaller definition, techniques for providing hints include:
+* Using inline assertions.
+* Instantiating any quantified statements by hand.
+* Providing detailed chains of reasoning for any statements about non-linear arithemetic.
+* Using `calc` statements instead of long chains of `assert` statements.
diff --git a/v4.10.0/VerificationOptimization/hover-assertion.png b/v4.10.0/VerificationOptimization/hover-assertion.png
new file mode 100644
index 0000000..c898ed4
Binary files /dev/null and b/v4.10.0/VerificationOptimization/hover-assertion.png differ
diff --git a/v4.10.0/VerificationOptimization/hover-method.png b/v4.10.0/VerificationOptimization/hover-method.png
new file mode 100644
index 0000000..f45b6ea
Binary files /dev/null and b/v4.10.0/VerificationOptimization/hover-method.png differ
diff --git a/v4.10.0/_config.yml b/v4.10.0/_config.yml
new file mode 100644
index 0000000..57af79d
--- /dev/null
+++ b/v4.10.0/_config.yml
@@ -0,0 +1,75 @@
+# Welcome to Jekyll!
+#
+# This config file is meant for settings that affect your whole blog, values
+# which you are expected to set up once and rarely edit after that. If you find
+# yourself editing this file very often, consider using Jekyll's data files
+# feature for the data you need to update frequently.
+#
+# For technical reasons, this file is *NOT* reloaded automatically when you use
+# 'bundle exec jekyll serve'. If you change this file, please restart the server process.
+#
+# If you need help with YAML syntax, here are some quick references for you:
+# https://learn-the-web.algonquindesign.ca/topics/markdown-yaml-cheat-sheet/#yaml
+# https://learnxinyminutes.com/docs/yaml/
+#
+# Site settings
+# These are used to personalize your new site. If you look in the HTML files,
+# you will see them accessed via {{ site.title }}, {{ site.email }}, and so on.
+# You can create any custom variable you would like, and they will be accessible
+# in the templates via {{ site.myvariable }}.
+
+title: Dafny Documentation
+#email: your-email@example.com
+description:
+baseurl: "" # the subpath of your site, e.g. /blog
+url: "https://dafny-lang.github.io/dafny" # the base hostname & protocol for your site, e.g. http://example.com
+
+# Build settings
+theme: minima
+
+markdown: kramdown
+highlighter: rouge
+kramdown:
+  header_offset: 1
+  input: GFM
+  syntax_highlighter_opts:
+    default_lang: dafny
+    css_class: 'syntax'
+
+header_pages:
+    - about.md
+
+plugins:
+    - jekyll-numbered-headings
+
+# Exclude from processing.
+# The following items will not be processed, by default.
+# Any item listed under the `exclude:` key here will be automatically added to
+# the internal "default list".
+#
+# Excluded items can be processed by explicitly listing the directories or
+# their entries' file path in the `include:` list.
+#
+exclude:
+   - DafnyRef/Makefile
+   - DafnyRef/README.md
+   - DafnyRef/header.tex
+   - DafnyRef/head.tex
+   - .sass-cache/
+   - .jekyll-cache/
+   - gemfiles/
+   - Gemfile
+   - Gemfile.lock
+   - node_modules/
+   - vendor/bundle/
+   - vendor/cache/
+   - vendor/gems/
+   - vendor/ruby/
+   - "*.expect"
+
+defaults:
+  -
+    scope:
+      path: "" # an empty string here means all files in the project
+    values:
+      layout: "single"
\ No newline at end of file
diff --git a/v4.10.0/_includes/README b/v4.10.0/_includes/README
new file mode 100644
index 0000000..7ffa2a0
--- /dev/null
+++ b/v4.10.0/_includes/README
@@ -0,0 +1,2 @@
+I'm not sure whether these files are used by GitHub's markdown processing.
+Possibly, but I can't find any reference to their use.
diff --git a/v4.10.0/_includes/footer.html b/v4.10.0/_includes/footer.html
new file mode 100644
index 0000000..03e4d2d
--- /dev/null
+++ b/v4.10.0/_includes/footer.html
@@ -0,0 +1,39 @@
+<footer class="site-footer h-card">
+{% comment %}
+  <data class="u-url" href="{{ "/" | relative_url }}"></data>
+
+  <div class="wrapper">
+
+    <div class="footer-col-wrapper">
+      <div class="footer-col">
+        <p class="feed-subscribe">
+          <a href="{{ 'feed.xml' | relative_url }}">
+            <svg class="svg-icon orange">
+              <use xlink:href="{{ 'assets/minima-social-icons.svg#rss' | relative_url }}"></use>
+            </svg><span>Subscribe</span>
+          </a>
+        </p>
+      {%- if site.author %}
+        <ul class="contact-list">
+          {% if site.author.name -%}
+            <li class="p-name">{{ site.author.name | escape }}</li>
+          {% endif -%}
+          {% if site.author.email -%}
+            <li><a class="u-email" href="mailto:{{ site.author.email }}">{{ site.author.email }}</a></li>
+          {%- endif %}
+        </ul>
+      {%- endif %}
+      </div>
+      <div class="footer-col">
+        <p>{{ site.description | escape }}</p>
+      </div>
+    </div>
+
+    <div class="social-links">
+      {%- include social.html -%}
+    </div>
+
+  </div>
+
+{% endcomment %}
+</footer>
diff --git a/v4.10.0/_includes/head.html b/v4.10.0/_includes/head.html
new file mode 100644
index 0000000..51f08f0
--- /dev/null
+++ b/v4.10.0/_includes/head.html
@@ -0,0 +1,9 @@
+<head>
+  <meta charset="utf-8">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="stylesheet" href="/assets/main.css">
+  <link rel="icon" type="image/svg+xml" href="/images/dafny-favicon.svg">
+  <link rel="icon" type="image/png" href="/images/dafny-favicon.png">
+  {%- seo -%}
+</head>
diff --git a/v4.10.0/_layouts/default.html b/v4.10.0/_layouts/default.html
new file mode 100644
index 0000000..b602378
--- /dev/null
+++ b/v4.10.0/_layouts/default.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<!-- This file is used by the Markdown processor, along with the included files head.html and footer.html.
+     The script tags below allow rendering of some kinds of inline math in the reference manual.
+  -->
+
+<html lang="{{ page.lang | default: site.lang | default: "en" }}">
+
+{%- include head.html -%}
+
+<script src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript" ></script>
+<script type="text/x-mathjax-config">
+        MathJax.Hub.Config({tex2jax: {inlineMath: [['$','$'], ["\\(","\\)"]], displayMath: [ ["$$","$$"], ["\\[","\\]"] ]
+        }});
+</script>
+
+<body>
+
+  <main class="page-content" aria-label="Content">
+    <div class="wrapper">
+      {{ content }}
+    </div>
+  </main>
+
+  {%- include footer.html -%}
+
+</body>
+
+</html>
diff --git a/v4.10.0/_layouts/single.html b/v4.10.0/_layouts/single.html
new file mode 100644
index 0000000..3280030
--- /dev/null
+++ b/v4.10.0/_layouts/single.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html lang="{{ page.lang | default: site.lang | default: "en" }}">
+
+{%- include head.html -%}
+
+<body>
+
+  <main class="page-content" aria-label="Content">
+    <div class="wrapper">
+      {{ content }}
+    </div>
+  </main>
+
+  {%- include footer.html -%}
+
+</body>
+
+</html>
diff --git a/v4.10.0/check-examples b/v4.10.0/check-examples
new file mode 100644
index 0000000..58264f7
--- /dev/null
+++ b/v4.10.0/check-examples
@@ -0,0 +1,499 @@
+#! /usr/bin/env bash
+
+## This bash script checks that example code in markdown files runs as expected.
+##  -- the script expects to be located in dafny/docs
+##      and finds other parts of the dafny working tree
+##      relative to that location
+##  -- it is intended to be run within a development or CI environment. That is, it finds 
+##     an executable dafny presuming such an environment. (The variable $dafny in the
+##     script says what executable to use.)
+##  -- There is only one command-line option, '-c', which
+##     if present must be first. It sets the coverage mode
+##     described below.
+##
+## What is checked?
+## In each input file in turn, each code block delineated by
+## markdown ``` pairs is checked, as described below.
+## -- Each block is expected to have a language tag. Often this
+##    tag is "dafny" (as in ```dafny) but may be other tags as well.
+##    A reasonable tag to disable checking is "text".
+##    If there is no tag a default tag is used (see below).
+##    The script warns if there is no tag and no default.
+## -- No whitespace is permitted between ``` and the tag.
+## -- Markdown itself does not allow any other text on this delimiter line.
+## -- The script is not robust against mismatched ``` pairs.
+##
+## Operational modes -- there are three modes of operation.
+##    -- checking the code against an expected output file (the default behavior)
+##    -- checking the code for a given error message (if %useHeadings has been set)
+##    -- producing lit files for coverage checking (if the -c command-line option is present)
+##
+## What command is used to check?
+## Instructions for checking each code block are given in a single-line HTML
+## comment (which is also a markdown comment), namely, keywords
+## enclosed in <!-- and -->, with the first character of the enclosed text being a '%'. 
+## The text inside any such comment is interpreted as potential command information. 
+##
+## Global defaults.
+## If the command information line contains '%default', then the 
+## contents of the line are used to set defaults that apply for the
+## remainder of the file (until a subsequent default setting command).
+## Possible settings are:
+## - if '%useHeadings' is present then the checks are against error messages, as described below
+## - if '%check-ids' is present, the error-ids are checked as described below
+## - if '%lang=' is present, then the alpha-numeric word after the = sign is now the default language
+## - if '%exit=n' is present, then the default exit code is the value of n
+## - if '%options' is present, then everything that follows is the default string of command options
+## - the first word of a default line is taken as the default command, if that word is not %default
+##   e.g. <!-- %check-resolve %default --> sets the default command to %check-resolve
+##
+## Each code block is checked according to command information set just before the code block.
+## If there is no such line, the defaults above are used. The information just before a code block
+## applies only to that code block.
+## For example:
+##   <!-- %check-resolve -->
+##   ```dafny
+##     ... code...
+##   ```
+## The command information has the format <!-- command [ expected-output ] [ other options ]  -->
+## - The command has one of the forms
+##    %no-check  -- meaning to skip any checking of this block
+##    %check-cli -- meaning to execute the code as bash shell commands. The language must be 'bash'
+##    %check-legacy -- meaning to check with dafny's legacy cli
+##    %check-verb -- where 'verb' is one of dafny's new-cli verbs (e.g. resolve or verify or test)
+##    The %check-verb form can have '-warn' appended to indicate that only warnings, not errors are expected
+## - If the expected-output is present it is a file name (of a file in the same folder as the markdown file 
+##    being tested). If the name is present, then the output of the command is checked against the content of the file
+##    (and is expected to match exactly).
+## - The 'other options' can be any one of these:
+##    %save <file> -- save the code block (including anything appended from %use) in the given temporary file
+##    %use <file> -- append to the code block the content of the given file (often a temporary saved by a previous %save)
+##    %nomsg -- forget the error pattern from the heading (in the case of subsequent working examples in the explanation)
+##    %first -- only look at the first error message produced (usually because the error recovery is poor)
+##    %err -- check stderr output instead of stdout
+##    %exit <n> -- set the expected exit code of the command.
+##       If not set, the default set in the %default command is used.
+##       If that is not set,  The default exit code is
+##          -- 0 if there is no output file and %iuseHeadings is not being used
+##          -- 0 if the command includes 'warn'
+##          -- if there is an output file and no 'warn', then the default exit code depends on the verb
+##    %options ... -- must be last; everything that follows is the list of options to use. If not present, then the default
+##          option list is used. If that is not present a built-in default is used.
+##
+## Mode: Compare against output file
+##   In this mode, the command is assembled as stated above and run against the code block.
+##   Note that the code block (together with anything included via %use) must be a full dafny
+##   program. There is no support for testing just simple expressions.
+##   The exit code is compared against the expected exit code.
+##   The actual output is compared aginst the stated output file, if any, and otherwise ignored.
+##
+## Mode: Compare against error message
+##   This mode is for the special case of checking the error catalog (the HowToFAQ/Errors-*.md files).
+##   These files consist of sections, each of which has a heading stating an error message and errorid,
+##   a ```-delineated code snippet that is an example of the error message, and then more explanation of the error.
+##   The heading line (which starts with '## **Error:' or '## **Warning:') is parsed to
+##   determine the errorid and a regular expression that matches the expected error messages.
+##   The test consists of running the command against the code snippet, extracting the error message and errorid
+##   from the output and checking those against the expected values.
+##
+##   The error message as given in the header has italicized words (markdown: _word_) for variable text in the error 
+##   message. The script turns these headings into regular expressions, taking into account the presence of 
+##   characters special to regex processing.
+##
+## Mode: Generate lit
+##   The -c option to the script causes lit files to be generated and written to Test/docexamples (see $outdir in the script below)
+##   If these files are generated during CI prior to running integration tests, then they are both executed
+##   as part of the integration tests and included in the coverage metrics. Importantly, all the error
+##   catalog tests are then part of the coverage metrics.
+##
+##   In this mode, the code is not checked, just the lit files generated.
+##
+##   Also, currently, the generated lit commands just run dafny against the given dafny code and check the exit code.
+##   They do not check the results other than the exit code.
+##   Perhaps someday the full test will be made into a lit test and we won't need this script to do the testing.
+
+
+dir=$(dirname "${BASH_SOURCE[0]}")
+dir=`cd "$dir" && pwd`
+dafnydir=$dir/../Scripts
+dafny="$dafnydir/dafny"
+outdir="$dir/../Test/docexamples"
+
+coverage=0
+permOptions="--show-snippets:false "
+defOptions="--function-syntax:4 --use-basename-for-filename"
+legacyOptions="-functionSyntax:4 -useBaseNameForFileName -showSnippets:0"
+
+while getopts 'c' opt; do
+  case "$opt" in
+    "c") coverage=1; rm -rf $outdir; mkdir -p $outdir ;;
+  esac
+done
+shift $(($OPTIND - 1))
+
+## Tracks if there have been any failures
+ANYFAIL=0
+
+## Loop over all remaining command-line arguments
+for file in $@ ; do
+dir=$(dirname "$file")
+dir=`cd "$dir" && pwd`
+
+defaultCommand=
+defaultExit=
+defaultLang=
+useHeadings=0
+checkIds=0
+
+## Temporary files
+text="$dir/text.dfy"
+actualOut="$dir/actual_out.tmp"
+actualMsgs="$dir/actual_msgs.tmp"
+actualError="$dir/actual_error.tmp"
+tocheck="$actualOut"
+
+## Whether this file fails
+FAIL=0
+## line number
+n=0
+## if inblock==1 we are in a ```-delimited block
+inblock=0
+
+msg=
+use=
+expectedExit=
+command=
+expectFile=
+options=( )
+first=0
+checkerr=0
+default=0
+globalDefaultExit=
+## Read and process each line of the file.  The file is input on stdin 
+## by redirection after the 'done' corresponding to this while-do
+while IFS= read -r line
+do 
+  let n++
+
+  ## For header lines, extract the error message from the header text
+  ## (everything but the initial ##[ ]*, the enclosing ** and the appended {#_errorid_})
+  ## The sed commands turn this into a pattern matching regex to match against the output of applying dafny to the example in the text:
+  ## remove the trailing error id if present; remove initial ## **; remove trailing '**' and errorid; turn any italicized text, which marks some
+  ## hole in the template to a '.*' matcher. Also, escape any regex-special characters.
+
+  ( echo "$line" | grep -E -e '[#][#] ' > /dev/null ) \
+   && msg=`echo "$line" | sed -E -e 's/ [ ]*\{#.*\}[ ]*$//' -e 's/^##[ ]*[*]*//' -e 's/[*]*$//' -e 's/\\*/\\\\*/' -e 's/\[/\\\[/g' -e 's/\]/\\\]/g' -e 's/_[A-Za-z]+_/.*/g'`\
+   && expid=`echo $line | sed -e 's/^.*[\{][\#]//' -e 's/[\}]$//'`
+  if [ "$checkIds" == "0" ]; then expid= ; fi
+  ## msg - the error message turned into a regex
+  ## expid -- the expected errorId if any
+
+  ## Check for the test command information
+  echo "$line" | grep '^[ ]*<!-- [ ]*%' > /dev/null
+  if [ "$?" == "0" ]; then 
+      ##echo COMMAND "$line"
+      contents=( `echo "$line" | sed -e 's/[^<]*<!--//' -e 's/-->//'` )
+      echo "$line" | grep -e '%default' > /dev/null
+      if [ "$?" == "0" ]; then 
+        default=1; 
+        echo "$line" | grep -e '%useHeadings' > /dev/null
+        if [ "$?" == "0" ]; then useHeadings=1; fi
+        echo "$line" | grep -e '%lang=' > /dev/null
+        if [ "$?" == "0" ]; then defaultLang=`echo "$line" | sed -e 's/^.*%lang=//' | sed -e 's/ .*$//'` ; fi
+        echo "$line" | grep -e '%exit=' > /dev/null
+        if [ "$?" == "0" ]; then globalDefaultExit=`echo "$line" | sed -e 's/^.*%exit=//' | sed -e 's/ .*$//'` ; fi
+        echo "$line" | grep -e '%check-ids' > /dev/null
+        if [ "$?" == "0" ]; then checkIds=1; fi
+        defaultCommand=${contents[0]}
+        continue
+      fi
+      command=${contents[0]}
+      contents=( ${contents[@]:1} )
+      while [ ${#contents[@]} != "0" ]; do
+        if [ "${contents[0]}" == "%use" ]; then
+          use=${contents[1]}
+          contents=( ${contents[@]:2} )
+        elif [ "${contents[0]}" == "%save" ]; then
+          save=${contents[1]}
+          contents=( ${contents[@]:2} )
+        elif [ "${contents[0]}" == "%exit" ]; then
+          expectedExit=${contents[1]}
+          contents=( ${contents[@]:2} )
+        elif [ "${contents[0]}" == "%err" ]; then
+          tocheck="$actualError"
+          contents=( ${contents[@]:1} )
+        elif [ "${contents[0]}" == "%first" ]; then
+          first=1
+          contents=( ${contents[@]:1} )
+        elif [ "${contents[0]}" == "%nomsg" ]; then
+          msg=
+          contents=( ${contents[@]:1} )
+        elif [ "${contents[0]}" == "%options" ]; then
+          contents=${contents[@]:1}
+          options=${contents[@]}
+          contents=()
+        elif [ -z "${contents[0]}" ]; then
+          contents=()
+        else
+          expect=${contents[0]}
+          contents=( ${contents[@]:1} )
+        fi
+      done
+  fi
+  ## Check for the marker
+  echo "$line" | grep -e '^[ ]*[`][`][`]' > /dev/null 
+  if [ "$?" != "0" ]; then
+    if [ "$inblock" == "1" ]; then
+      ## If in a backtick block, save the text to the temporary file - erase any ... which are just placeholders in some examples
+      echo "$line" | sed -e 's/^[ ]*\.\.\./   /' >> $text
+    fi
+  elif [ "$inblock" == "0" ]; then
+    ## Start of backtick block
+    ## get language
+    lang=`echo "$line" | sed -e 's/^[ ]*\`\`\`[\`]*//' -e 's/[ ]*$//'`
+    if [ -z "$lang" ]; then
+      lang=$defaultLang
+      if [ -z "$lang" ]; then
+        echo NO LANGUAGE LABEL $n "$line"
+        FAIL=1
+      fi
+    fi
+
+    inblock=1
+    rm -f "$text"
+    touch "$text"
+  else
+      ## End of backtick block, so check the text
+      if [ -z "$command" -a "$lang" == "dafny" ]; then
+        command="$defaultCommand"
+        if [ -z "$command" ]; then
+          echo "NO COMMAND GIVEN $n $line"
+          FAIL=1
+        fi
+      fi
+      inblock=0
+      if [ -n "$use" ]; then
+        cat "$use" >> $text
+      fi
+      if [ -n "$save" ]; then
+         cp $text $save
+         save=
+      fi
+      if [ "$lang" == "dafny" -o "$lang" == "cli" -o "$lang" == "bash" ]; then
+        ## This script can take some time, so this reports progress
+        if [ "$coverage" == "1" ]; then
+          echo "GENERATING $n $file $command $expect $expid"
+        else
+          echo "TESTING $n $file $command $expect $expid"
+        fi
+      fi
+      ischeck=0
+      echo $command | grep '%check-' >> /dev/null
+      if [ "$?" == "0" ]; then ischeck=1; fi
+      iswarn=0
+      echo $command | grep 'warn' >> /dev/null
+      if [ "$?" == "0" ]; then iswarn=1; fi
+      verb=`echo $command | sed -e 's/%check-//' -e 's/-warn//'`
+      if [ "$command" == "%no-check" ]; then
+        echo -n ""
+      elif [ "$verb" == "cli" ]; then
+        ## These are command-line error tests, so the expected exit is typically 1
+        if [ -z "$expectedExit" ]; then expectedExit=1 ; fi
+        if [ "$lang" != "bash" ]; then
+          echo EXPECTED A bash BLOCK, NOT $lang
+          FAIL=1
+        elif [ "$coverage" == "1" ]; then
+          ## The lit tests currently expect the text of the test to start with 'dafny' and become '%baredafny'
+          
+	  f="$outdir/$(basename $file)_${n}.dfy"
+          echo "// RUN: %exits-with" $expectedExit "%bare`cat $text`" " > /dev/null 2> /dev/null" > "$f"
+        else
+          isverbose=
+          if [ "$checkIds" == "1" ]; then isverbose="--verbose" ; fi
+          PATH="$dafnydir:$PATH" . $text $isverbose > "$actualOut" 2> "$actualError"
+          actualExit=$?
+          if [ "$actualExit" != "$expectedExit" ]; then
+             if [ "$actualExit" == "127" -a "$expectedExit" == "1" ]; then
+               echo EXIT CODE is $actualExit
+               which dafny
+             else
+               echo EXPECTED EXIT CODE OF $expectedExit, GOT $actualExit
+               FAIL=1
+             fi
+          fi
+          if [ "$first" == "1" ]; then
+            act=`cat "$tocheck" | head -1 | sed -e 's/^.*Error/Error/'`
+          else
+            act=`cat "$tocheck" | sed -e 's/^.*Error/Error/'`
+          fi
+          dif=`echo "$act" | tr "\n" " " | sed -e 's/[ ]*$//' -e "s@$msg@@"`
+          if [ -n "$dif" ]; then
+            echo ACTUAL OUTPUT DOES NOT MATCH EXPECTED: "$msg" VS "$act"
+            FAIL=1
+          elif [ -z "$act" -a "$useHeadings" == "1" ]; then
+            echo "NO OUTPUT TO COMPARE"
+            FAIL=1
+          fi
+        fi
+      elif [ "$ischeck" == "1" ]; then ## Not cli though
+        dOptions=$defOptions
+        if [ -z "$expect" -a "$useHeadings" == "0" ]; then
+          defaultExit=0
+        elif [ "$iswarn" == "1" ]; then
+          dOptions="$dOptions --allow-warnings"
+          defaultExit=0
+        elif [ "$verb" == "verify" ]; then
+          defaultExit=4
+        elif [ "$verb" == "resolve" ]; then
+          defaultExit=2
+        elif [ "$verb" == "translate" ]; then
+          defaultExit=3
+        elif [ "$verb" == "build" ]; then
+          defaultExit=0
+        elif [ "$verb" == "run" ]; then
+          defaultExit=0
+          if [ "$useHeadings" == "1" ]; then defaultExit=3; fi
+        elif [ "$verb" == "test" ]; then
+          defaultExit=2
+        elif [ "$verb" == "legacy" ]; then
+          defaultExit=0
+          if [ "$useHeadings" == "1" ]; then defaultExit=3; fi
+          if [ "$defaultCommand" == "%check-resolve" ]; then defaultExit=2 ; fi
+        fi
+        if [ "$verb" == "legacy" ]; then 
+          dOptions=$legacyOptions
+          verb= 
+        fi
+        if [ -z "$expectedExit" ]; then expectedExit=$defaultExit ; fi
+        if [ "$coverage" == "1" ] ; then
+          f=$outdir/$(basename $file)_${n}.dfy
+          if  [ "$command" == "%check-legacy" ]; then
+            echo "// RUN: %exits-with" $expectedExit "%baredafny" "/showSnippets:0" $verb $dOptions ${options[@]} '"%s" > "%t"' > "$f"
+            echo " " >> $f
+            cat $text >> $f
+          elif [ "$command" == "%check-cli" ]; then
+            echo "// RUN: %exits-with $expectedExit %bare`cat $text` > /dev/null 2> /dev/null" > $f
+          else
+            echo "// RUN: %exits-with $expectedExit %baredafny $verb $dOptions ${options[@]}" '"%s" > "%t"' > "$f"
+            echo " " >> "$f"
+            cat "$text" >> "$f"
+          fi
+        else
+          if [ "$command" == "%check-legacy" ]; then
+            isverbose=-compileVerbose:$checkIds
+            (cd "$dir"; "$dafny" /showSnippets:0 $dOptions $isverbose ${options[@]} $text   ) > "$actualOut" 2> "$actualError"
+          else
+            isverbose=
+            if [ "$checkIds" == "1" ]; then isverbose="--verbose" ; fi
+            ( cd "$dir" ; "$dafny" $verb $isverbose $permOptions $dOptions ${options[@]} $text ) > "$actualOut" 2> "$actualError"
+          fi
+          actualExit=$?
+          if [ "$useHeadings" == "1" ]; then
+            if [ "$first" == "1" ]; then
+              cat "$actualOut" | grep -E '(Error|Warning):' | head -1 > "$actualMsgs"
+            else
+              cat "$actualOut" | grep -E '(Error|Warning):' > "$actualMsgs"
+            fi
+            actualid=
+            grep 'ID:' "$actualMsgs" > /dev/null
+            if [ "$?" == "0" -a "$checkIds" == "1" ]; then
+              num=`cat "$actualMsgs" | sed -e 's/^.*[\(]ID: //' -e 's/[\)]$//' | sort -u | wc -l | sed -e 's/[ \t]*//'`
+              if [ "$num" != "1" ]; then
+                 echo "UNEXPECTED NUMBER OF DIFFERENT IDS: $num"
+                 FAIL=1
+              fi
+              actualid=`cat "$actualMsgs" | sed -e 's/^.*[\(]ID: //' -e 's/[\)]$//' | sort -u`
+            fi
+            act=`cat "$actualMsgs" | sed -e 's/^[^:]*: //' -e 's/ [ ]*[\(]ID: .*$//' `
+            if [ "$checkIds" == "1" -a "$actualid" != "$expid" -a -n "$msg" ] ; then
+              echo ERROR ID MISMATCH "$actualid : $expid"
+              cat "$actualMsgs"
+            fi
+            if [ -n "$msg" ]; then
+              dif=`echo "$act" | sed -e "s@$msg@@g" | sed -e 's/[ ]*//'`
+              if [ -z "$act" -a "$expectedExit" != "0" ] ; then
+                 echo NO ERROR MESSAGE FOUND
+                 FAIL=1
+              fi
+              if [ -n "$dif" ] ; then
+                 echo NO MATCH 
+                 echo PAT "$msg"
+                 echo ACT "$act"
+                 echo DIF "$dif"
+                 FAIL=1
+              fi
+              if [ "$actualExit" != "$expectedExit" ]; then
+                echo EXPECTED EXIT CODE $expectedExit, got $actualExit
+                FAIL=1
+              fi
+            else 
+              if [ -n "$act" ]; then
+                echo "EXPECTED NO ERROR, got " $act
+                FAIL=1
+              fi
+              if [ "$actualExit" != "0" ]; then
+                echo EXPECTED EXIT CODE 0, got $actualec
+                FAIL=1
+              fi
+            fi
+          elif [ -z "$expect" ]; then
+            # No output file -- so no error expected
+            if [ "$actualExit" != "0" ]; then
+              echo "TEST FAILED" $file line $n  $command $expect
+              cat "$text"
+              cat "$actualOut"
+              FAIL=1
+            fi
+            if [ `cat "$actualOut" | wc -l ` != "2" ]; then
+              echo ACTUAL ERROR OUTPUT BUT NONE EXPECTED
+              cat "$actualOut"
+              FAIL=1
+            fi
+          else
+            if [ "$actualExit" != "$expectedExit" ]; then
+              echo EXPECTED EXIT CODE $expectedExit, got $actualExit
+              FAIL=1
+            fi
+            if [ -e "$dir/$expect" ]; then
+              diff -b -B "$actualOut" "$dir/$expect"
+              if [ "$?" != "0" ]; then
+                FAIL=1
+                echo Actual output differs from expected
+                echo "TEST FAILED" $file line $n  $command $expect
+                cat "$text"
+                cat "$actualOut"
+              fi
+            else
+              cat "$actualOut"
+              FAIL=1
+            fi
+          fi
+        fi
+      elif [ "$lang" == "dafny" ]; then
+         echo UNKNOWN TEST COMMAND $command
+         FAIL=1
+      fi
+      use=
+      command=
+      expect=
+      expectedExit=
+      options=( )
+      first=0
+      tocheck="$actualOut"
+  fi
+done < "$file"
+rm -rf *.tmp $text.*
+
+if [ "$inblock" == "1" ]; then
+  echo UNCLOSED BACKTICK BLOCK
+  FAIL=1
+fi
+
+if [ "$FAIL" == "1" ] ; then 
+  echo "Test Failure: $file"
+  ANYFAIL=1
+fi
+
+rm -f $text *.tmp
+done
+exit $ANYFAIL
diff --git a/v4.10.0/dafny.sty b/v4.10.0/dafny.sty
new file mode 100644
index 0000000..013d31d
--- /dev/null
+++ b/v4.10.0/dafny.sty
@@ -0,0 +1,114 @@
+% dafny.sty
+% Dafny mode for the LaTeX listings package.
+% Rustan Leino, 22 June 2008.
+
+\usepackage{listings}
+
+\lstdefinelanguage{dafny}{
+  morekeywords={class,datatype,codatatype,newtype,type,iterator,trait,extends,
+      bool,char,nat,int,real,object,set,iset,multiset,seq,string,map,imap,array,array2,array3,
+      bv0,bv1,bv2,bv3,bv4,bv5,bv6,bv7,bv8,bv12,bv16,bv20,bv24,bv32,bv48,bv64,bv128,
+      function,predicate,copredicate,inductive,
+      ghost,var,const,static,refines,
+      method,lemma,constructor,colemma,twostate,
+      returns,yields,abstract,module,export,import,default,opened,as,in,
+      requires,modifies,ensures,reads,decreases,include,provides,reveals,witness,
+      % expressions
+      match,case,false,true,null,old,fresh,allocated,unchanged,this,
+      % statements
+      assert,by,assume,expect,print,new,if,then,else,while,invariant,break,label,return,yield,
+      where,calc,modify
+      },
+  literate=%
+    {:}{$\colon$}1
+    {::}{$\bullet$}2
+    {:=}{$:$$=$}2
+    {:|}{${:}\!\!|$}2
+    {!}{$\lnot$}1
+    {!!}{$\not\cap$}1
+    {==}{$=$}1
+    {!=}{$\neq$}1
+    {&&}{$\land$}1
+    {||}{$\lor$}1
+    {<=}{$\le$}1
+    {>=}{$\ge$}1
+    % the following isn't actually Dafny, but it gives the option to produce nicer latex
+    {<=set}{$\subseteq$}1
+    {+set}{$\cup$}1
+    {*set}{$\cap$}1
+    {==>}{$\Longrightarrow$}3
+    {<==}{$\Longleftarrow$}3
+    {=>}{$\Rightarrow$}2
+    {<==>}{$\Longleftrightarrow$}4
+    {forall}{$\forall$}1
+    {exists}{$\exists$}1
+    {!in}{$\not\in$}1
+    {\\in}{$\in$}1
+    % the following isn't actually Dafny, but it gives the option to produce nicer latex
+    {<<}{$\langle$}1
+    {>>}{$\rangle$}1
+    {(==)}{${}^{(=)}$}2
+    {...}{$\ldots$}2
+    {\\alpha}{$\alpha$}1
+    {\\beta}{$\beta$}1
+    {\\gamma}{$\gamma$}1
+    {\\delta}{$\delta$}1
+    {\\epsilon}{$\epsilon$}1
+    {\\zeta}{$\zeta$}1
+    {\\eta}{$\eta$}1
+    {\\theta}{$\theta$}1
+    {\\iota}{$\iota$}1
+    {\\kappa}{$\kappa$}1
+    {\\lambda}{$\lambda$}1
+    {\\mu}{$\mu$}1
+    {\\nu}{$\nu$}1
+    {\\xi}{$\xi$}1
+    {\\pi}{$\pi$}1
+    {\\rho}{$\rho$}1
+    {\\sigma}{$\sigma$}1
+    {\\tau}{$\tau$}1
+    {\\upsilon}{$\upsilon$}1
+    {\\phi}{$\phi$}1
+    {\\chi}{$\chi$}1
+    {\\psi}{$\psi$}1
+    {\\omega}{$\omega$}1
+    {\\Gamma}{$\Gamma$}1
+    {\\Delta}{$\Delta$}1
+    {\\Theta}{$\Theta$}1
+    {\\Lambda}{$\Lambda$}1
+    {\\Xi}{$\Xi$}1
+    {\\Pi}{$\Pi$}1
+    {\\Sigma}{$\Sigma$}1
+    {\\Upsilon}{$\Upsilon$}1
+    {\\Phi}{$\Phi$}1
+    {\\Psi}{$\Psi$}1
+    {\\Omega}{$\Omega$}1
+    ,
+  sensitive=true,  % case sensitive
+  morecomment=[l]{//},
+  morecomment=[s]{/*}{*/},
+  morecomment=[s]{\{:}{\}},
+  morestring=[b]",
+  numbers=none,
+  firstnumber=0,
+  numberstyle=\tiny,
+  stepnumber=5,
+  basicstyle=\scriptsize\sffamily,
+  commentstyle=\itshape,
+  keywordstyle=\bfseries,
+  ndkeywordstyle=\bfseries,
+}
+\lstnewenvironment{dafny}[1][]{%
+  \lstset{language=dafny,
+    floatplacement={tbp},captionpos=b,
+    frame=lines,xleftmargin=8pt,xrightmargin=8pt,basicstyle=\ttfamily,#1}}{}
+\lstnewenvironment{dafnyNoLines}[1][]{%
+  \lstset{language=dafny,
+    floatplacement={tbp},captionpos=b,
+    xleftmargin=8pt,xrightmargin=8pt,basicstyle=\ttfamily,#1}}{}
+\def\inlinedafny{%
+    \lstinline[language=dafny,basicstyle=\ttfamily,columns=fixed]}
+\newcommand{\lstfile}[1]{
+  \lstinputlisting[language=dafny,%
+    frame=lines,xleftmargin=8pt,xrightmargin=8pt,basicstyle=\ttfamily,columns=fixed]{#1}
+}
diff --git a/v4.10.0/examples/README.md b/v4.10.0/examples/README.md
new file mode 100644
index 0000000..78cb9dd
--- /dev/null
+++ b/v4.10.0/examples/README.md
@@ -0,0 +1,16 @@
+---
+title: Miscellaneous Dafny Examples
+---
+
+The links below connect to annotated examples of Dafny source code,
+demonstrating various coding techniques or proof capabilities.
+Each of these verify successfully.
+
+The files for these examples can be found in 
+the [examples folder of Dafny's github project](https://github.com/dafny-lang/dafny/tree/master/Source/IntegrationTests/TestFiles/LitTests/LitTest/examples).
+
+- [Simple Maximum method](https://github.com/dafny-lang/dafny/tree/master/Source/IntegrationTests/TestFiles/LitTests/LitTest/examples/maximum.dfy)
+- [Tutorial on parser combinators](https://github.com/dafny-lang/dafny/tree/master/Source/IntegrationTests/TestFiles/LitTests/LitTest/examples/parser_combinators.dfy)
+- [A simple compiler](https://github.com/dafny-lang/dafny/tree/master/Source/IntegrationTests/TestFiles/LitTests/LitTest/examples/Simple_compiler)
+- [An example of significant use of induction on a mini-compiler](https://github.com/dafny-lang/dafny/tree/master/Source/IntegrationTests/TestFiles/LitTests/LitTest/examples/induction-principle.md)
+
diff --git a/v4.10.0/images/Demo.png b/v4.10.0/images/Demo.png
new file mode 100644
index 0000000..1cea067
Binary files /dev/null and b/v4.10.0/images/Demo.png differ
diff --git a/v4.10.0/images/DutchFlag.dfy b/v4.10.0/images/DutchFlag.dfy
new file mode 100644
index 0000000..67bbfc9
--- /dev/null
+++ b/v4.10.0/images/DutchFlag.dfy
@@ -0,0 +1,43 @@
+method Main()
+{
+  var a := new Color[3];
+  a[0] := White;
+  a[1] := Blue;
+  a[2] := Red;
+  assert a[..] == [White, Blue, Red];
+  DutchFlag(a);
+  assert Ordered(a[0], a[1]);
+  assert Ordered(a[1], a[2]);
+  assert a[..] == [Red, White, Blue];
+}
+
+datatype Color = Red | White | Blue
+
+predicate Ordered(c: Color, d: Color)
+{
+  c == Red ||
+  c == d ||
+  d == Blue
+}
+
+method DutchFlag(a: array<Color>)
+  requires a != null modifies a
+  ensures forall i,j :: 0 <= i < j < a.Length  ==>  Ordered(a[i], a[j])
+  ensures multiset(a[..]) == old(multiset(a[..]))
+{
+  var r, w, b := 0, 0, a.Length;
+  while w != b
+    invariant 0 <= r <= w <= b <= a.Length;
+    invariant forall i :: 0 <= i < r ==> a[i] == Red
+    invariant multiset(a[..]) == old(multiset(a[..]))
+  {   match a[w]
+        case Red =>
+          a[r], a[w] := a[w], a[r];
+          r, w := r + 1, w + 1;
+        case White =>
+          w := w + 1;
+        case Blue =>
+          b := b - 1;
+          a[w], a[b] := a[b], a[w];
+  }
+}
diff --git a/v4.10.0/images/dafny-banner.png b/v4.10.0/images/dafny-banner.png
new file mode 100644
index 0000000..89fa4a3
Binary files /dev/null and b/v4.10.0/images/dafny-banner.png differ
diff --git a/v4.10.0/images/dafny-banner.xcf b/v4.10.0/images/dafny-banner.xcf
new file mode 100644
index 0000000..8c52b13
Binary files /dev/null and b/v4.10.0/images/dafny-banner.xcf differ
diff --git a/v4.10.0/images/dafny-favicon.png b/v4.10.0/images/dafny-favicon.png
new file mode 100644
index 0000000..fa48643
Binary files /dev/null and b/v4.10.0/images/dafny-favicon.png differ
diff --git a/v4.10.0/images/dafny-favicon.svg b/v4.10.0/images/dafny-favicon.svg
new file mode 100644
index 0000000..90adbf6
--- /dev/null
+++ b/v4.10.0/images/dafny-favicon.svg
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="32px" height="32px" viewBox="0 0 32 32" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <title>favicon</title>
+    <g id="favicon" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+        <rect fill="#FDED06" x="0" y="0" width="32" height="32"></rect>
+        <path d="M15.280597,4.5 C19.8135372,4.5 21.9011105,5.46268333 23.7359723,7.18817376 C25.4098587,8.78323296 26.5,11.4079165 26.5,14.2477876 C26.5,17.3655229 25.3984779,19.5713207 23.7313463,21.3952942 C21.8194335,23.4820427 18.7901054,24.4334877 15.0336052,24.4966234 L14.6283582,24.5 L10.1477612,24.5 C9.40103406,24.5 8.9679317,24.4095536 8.69803115,24.18094 C8.45350134,23.9738161 8.28770337,23.6452837 8.26176849,23.0053883 L8.25820896,22.8230088 L8.25820896,8.08259587 C8.25820896,7.90475733 8.0793881,7.78615596 7.91157799,7.68467045 C7.59116487,7.49089615 7.15765564,7.37758112 6.76567164,7.37758112 C6.26930396,7.37758112 5.98657534,7.25514862 5.80076867,7.06473383 C5.61923514,6.87869815 5.5,6.59337078 5.5,6.09292035 C5.5,5.72941575 5.58325454,5.46975289 5.70928078,5.28294408 C6.8618654,4.78542554 7.54248697,4.71857625 8.24248499,4.66233569 C9.65078509,4.55692516 10.5651811,4.50648152 10.9323795,4.50058783 L10.9985075,4.5 L15.280597,4.5 Z M13.2987522,7.50040098 C12.9662822,7.50160913 12.7416843,7.48560614 12.5,7.72249107 L12.5,7.72249107 L12.5,20.8764045 L12.4998854,20.9802821 C12.5005829,21.1479868 12.5111205,21.2866899 12.6124609,21.3682073 C12.7660679,21.4917675 13.0285209,21.5 13.3968254,21.5 L13.3968254,21.5 L14.9391534,21.5 L15.2233739,21.498179 C17.2196288,21.4721315 19.343151,21.1551372 20.7321137,19.8144123 C21.8663983,18.7195206 22.5,16.9687249 22.5,15.1741573 C22.5,12.8284136 21.7195981,10.8972044 20.3247063,9.55075628 C18.660917,7.94474919 17.0377315,7.5000204 13.2987522,7.50040098 Z" id="D" stroke="#000863" fill="#333A90" fill-rule="nonzero"></path>
+        <path d="M32,32 L-1.25309485e-13,32 C-0.13143445,28.8787226 0.0749578152,27.260643 0.619176794,27.1457614 C1.06677271,27.0512732 1.40504578,26.9845332 1.6450075,27.354436 C2.36989786,28.2734645 3.15915204,29.1396938 4.06833866,29.8993027 C5.51192486,31.124726 5.45538808,29.8533817 6.91352765,28.1213943 C7.32624413,27.4874034 8.79620218,26.3584108 10.2234033,27.4731759 C11.8697514,28.5771272 14.3573732,30.5111402 14.9171888,29.7543208 C15.7964924,28.8814649 16.145965,28.2251966 16.7010826,27.8408274 C18.3457903,26.7020175 19.2401012,27.1241622 20.6099274,28.5164309 C21.4168789,29.1615095 22.5295182,29.9613714 23.4812306,29.6351223 C23.998115,29.4579311 24.3386969,28.802927 25.071059,27.8348473 C25.3563599,27.3303275 26.702965,26.6332968 27.7439941,27.2291618 L32,29 L32,32 Z" id="water-fill" fill="#71BD99" fill-rule="nonzero"></path>
+        <path d="M0.038351795,30 C-0.0930826545,28.2120559 0.11330961,27.260643 0.657528589,27.1457614 C1.10512451,27.0512732 1.44339757,26.9845332 1.68335929,27.354436 C2.40824965,28.2734645 3.19750384,29.1396938 4.10669046,29.8993027 C5.55027666,31.124726 5.49373988,29.8533817 6.95187944,28.1213943 C7.36459592,27.4874034 8.83455398,26.3584108 10.2617551,27.4731759 C11.9081032,28.5771272 14.395725,30.5111402 14.9555406,29.7543208 C15.8348442,28.8814649 16.1843168,28.2251966 16.7394344,27.8408274 C18.3841421,26.7020175 19.278453,27.1241622 20.6482792,28.5164309 C21.4552307,29.1615095 22.56787,29.9613714 23.5195824,29.6351223 C24.0364668,29.4579311 24.3770487,28.802927 25.1094108,27.8348473 C25.3947117,27.3303275 26.7413168,26.6332968 27.7823459,27.2291618 L32.0383518,29" id="Path" stroke="#74ADAC" stroke-linecap="round" stroke-linejoin="round" fill-rule="nonzero"></path>
+    </g>
+</svg>
diff --git a/v4.10.0/images/dafny-logo-230.png b/v4.10.0/images/dafny-logo-230.png
new file mode 100644
index 0000000..3c6a036
Binary files /dev/null and b/v4.10.0/images/dafny-logo-230.png differ
diff --git a/v4.10.0/images/dafny-logo.jpg b/v4.10.0/images/dafny-logo.jpg
new file mode 100644
index 0000000..1763c64
Binary files /dev/null and b/v4.10.0/images/dafny-logo.jpg differ
diff --git a/v4.10.0/images/dafny-thumbnail.jpg b/v4.10.0/images/dafny-thumbnail.jpg
new file mode 100644
index 0000000..d0d55a3
Binary files /dev/null and b/v4.10.0/images/dafny-thumbnail.jpg differ
diff --git a/v4.10.0/index.html b/v4.10.0/index.html
new file mode 100644
index 0000000..73f4f9f
--- /dev/null
+++ b/v4.10.0/index.html
@@ -0,0 +1,99 @@
+<!doctype html>
+
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+
+  <title>Dafny</title>
+  <link href="style.css" rel="stylesheet">
+  <meta name="description" content="The Dafny Programming and Verification Language and tools.">
+  <meta name="author" content="Dafny project">
+
+  <meta property="og:title" content="Dafny">
+  <meta property="og:type" content="website">
+  <meta property="og:url" content="https://dafny.org">
+  <meta property="og:description" content="The Dafny Programming and Verification Language and tools">
+  <meta property="og:image" content="image.png">
+
+  <link rel="icon" href="images/dafny-favicon.png" type="image/png">
+  <link rel="icon" href="images/dafny-favicon.svg" type="image/svg+xml">
+</head>
+
+<body>
+<header>
+<h1>The Dafny Programming and Verification Language</h1>
+<!-- VERSION INFO HERE-->v4.10.0 documentation snapshot
+</header>
+
+<nav>
+<h2>Quick Links</h2>
+<ul>
+<li><a href="./Installation"><b>Installation</b></a>
+     (or a <a href="https://marketplace.visualstudio.com/items?itemName=dafny-lang.ide-vscode">VSCode plugin for Dafny</a>)</li>
+<li><a href="https://dafny.zulipchat.com/" target="_blank" rel="noopener noreferrer">Zulip channel</a> to ask questions about Dafny</li>
+<li><a href="./DafnyRef/DafnyRef">Dafny Reference Manual and User Guide</a></li>
+<li><a href="./toc">Dafny Resources for Users</a></li>
+<li><a href="https://github.com/dafny-lang/dafny">Dafny GitHub project (for developers of the Dafny tools themselves)</a></li>
+<li><a href="Snapshots">Other documentation snapshots</a></li>
+<li><a href="https://mitpress.mit.edu/9780262546232/program-proofs"><i><b note="We can deemphasize this announcement on March 2024 or later">Book on Program Proofs using Dafny!:</b></i> <I>Program Proofs</i>, by Rustan Leino, MIT Press</a></li>
+</ul>
+<h2><a href="/blog/"><b>Blog</b></a><iframe src="/blog/" style="display:none"></iframe></h2>
+</nav>
+
+<main>
+<p>
+<img id="logo" src="images/dafny-logo.jpg" alt="The Dafny logo, showing the word Dafny in blue next to wavy black and blue lines.">
+<b>Dafny</b> is a verification-aware programming language that has native support for recording specifications
+and is equipped with a static program verifier.
+By blending sophisticated automated reasoning with familiar programming idioms and tools,
+Dafny empowers developers to write provably correct code (w.r.t. specifications).
+It also compiles Dafny code to familiar development environments such as C#, Java, JavaScript and Go (with more in progress, such as Python) so Dafny can integrate with your existing workflow.
+Dafny makes rigorous verification an integral part of development,
+thus reducing costly late-stage bugs that may be missed by testing.
+</p>
+
+<p>
+In addition to a verification engine to check implementation against specifications,
+the Dafny ecosystem includes several compilers,
+plugins for common software development IDEs,
+a LSP-based Language Server,
+a code formatter,
+a reference manual,
+tutorials,
+power user tips,
+books,
+the experiences of professors teaching Dafny,
+and the accumulating expertise of industrial projects using Dafny.
+</p>
+
+<p>Dafny has support for common programming concepts such as </p>
+<ul>
+<li>mathematical and bounded integers and reals, bit-vectors, classes, iterators, arrays, tuples, generic types, refinement and inheritance,</li>
+<li><a href="./latest/DafnyRef/DafnyRef#sec-inductive-datatypes">inductive datatypes</a> that can have methods and are suitable for pattern matching,</li>
+<li><a href="./latest/DafnyRef/DafnyRef#sec-co-inductive-datatypes">lazily unbounded datatypes</a>,</li>
+<li><a href="./latest/DafnyRef/DafnyRef#sec-subset-types">subset types</a>, such as for bounded integers,</li>
+<li><a href="./latest/DafnyRef/DafnyRef#sec-lambda-expressions">lambda expressions</a> and functional programming idioms,</li>
+<li>and <a href="./latest/DafnyRef/DafnyRef#sec-collection-types">immutable and mutable data structures</a>.</li>
+</ul>
+
+<p>Dafny also offers an extensive toolbox for mathematical proofs about software, including</p>
+<ul>
+<li><a href="./latest/DafnyRef/DafnyRef#sec-quantifier-domains">bounded and unbounded quantifiers</a>,</li>
+<li><a href="./latest/DafnyRef/DafnyRef#sec-calc-statement">calculational proofs</a> and the ability to use and prove lemmas,</li>
+<li><a href="./latest/DafnyRef/DafnyRef#sec-specification-clauses">pre- and post-conditions, termination conditions, loop invariants, and read/write specifications</a>.</li>
+</ul>
+
+<figure id="snapshot">
+<img src="images/Demo.png" alt="A snippet of code shown in the VSCode IDE showing an implementation of the Dutch national flag problem written in Dafny.  IDE extensions are showing successes and failures in verification reported by the Dafny Language Server running in real time.">
+<figcaption>Dafny running in Visual Studio Code</figcaption>
+</figure>
+</main>
+<script>
+var frame = document.querySelector("iframe");
+frame.addEventListener( "load", function(e) {
+  frame.outerHTML = x.contentWindow.document.querySelector("ul.post-list").outerHTML
+} );
+</script>
+</body>
+</html>
diff --git a/v4.10.0/make-snapshot b/v4.10.0/make-snapshot
new file mode 100644
index 0000000..56ddb78
--- /dev/null
+++ b/v4.10.0/make-snapshot
@@ -0,0 +1,140 @@
+#! /usr/bin/env bash
+
+## This script copies the current development docs into the dafny.org
+## user-facing web pages, making a snapshot of the current docs.
+## It is intended to be run as part of a release procedure (so that
+## the docs snapshot corresponds to the release functionality).
+## The script creates two PRs -- one in the dafny-lang/dafny repo and
+## one in the dafny-lang/dafny-lang.github.io repo. These need to be
+## reviewed, approved and merged. After that is successful the 
+## local and remote snapshot-vX.Y.Z branches can be deleted.
+
+## This procedure creates clones in a temporary location,
+## so it has no effect on the user's git workspaces.
+## It does however use the user's git credentials.
+
+## The script takes one argument -- the release name in X.Y.Z form
+## (The script prepends a 'v' as the release folder name.)
+## It also takes one option: -b <branchname>
+## (the branch used defaults to 'master')
+
+if [ ! `which gh` ]; then echo "This script requires that gh is installed"; exit 1; fi
+if [ ! `which git` ]; then echo "This script requires that git is installed"; exit 1; fi
+
+## Check that gh is logged in by running gh auth status, and if not, run gh auth login
+if [ -z "`gh auth status | grep -i logged`" ]; then
+  gh auth login;
+fi
+
+if [ "$#" == "0" ]; then
+  echo "Usage: ./make-snapshot -b <branch> <version>"
+  exit 0
+fi
+
+branch=master
+if [ "$1" == "-b" ]; then
+  branch=$2
+  shift 2
+fi
+
+if [ "$#" != "1" ]; then
+  echo Expected the new version number as the one argument, in the format x.y.z
+  exit 1
+fi
+
+echo Making a snapshot from branch $branch named version $1
+
+## The version name
+V=v$1
+## Text string in index.html that marks where to put the version text
+M='<!-- VERSION INFO HERE-->'
+
+## Location of the development docs folder
+D=$(dirname "$BASH_SOURCE")
+cd "$D"
+
+## Branch name
+B=`echo snapshot-$V | sed -e "s/\./_/g"`
+
+## Temp folder in which to clone
+P=/tmp/docsnapshotT
+
+if [ -n "$WINDIR" ]; then
+  P=/c/tmp/docsnapshotT
+fi
+
+rm -rf $P
+mkdir -p $P
+
+CWD=`pwd`
+cd $P
+(git clone git@github.com:dafny-lang/dafny.git -b $branch --depth 1) || \
+    (echo FAILED to clone dafny; exit 1)
+(git clone git@github.com:dafny-lang/dafny-lang.github.io.git -b main --depth 1) || \
+    (echo FAILED to clone dafny-lang.github.io; exit 1)
+cd $CWD
+
+## Location of the dafny-lang.github.io repo
+T=$P/dafny-lang.github.io
+##T=/Users/davidcok/projects/dafny/dafny-lang.github.io
+
+cd "$P/dafny/docs"
+
+echo Executing from `pwd`
+echo Target is "$T"
+echo Version is "$V"
+echo Branch is "$B"
+
+## Changes locally
+git checkout -b "$B" $branch
+sed -i -e "szlatest)zlatest)\n- [$V](https://dafny.org/$V)z" Snapshots.md
+rm Snapshots.md-e
+git add Snapshots.md
+git commit -m "Documentation snapshot for $V"
+git push --set-upstream origin "$B"
+(gh pr create --fill -R https://github.com/dafny-lang/dafny -B $branch --head "$B" | tail -1 > $P/url1) || \
+    (echo FAILED to create PR with gh; exit 1)
+
+## Changes on dafny-lang.github.io
+( cd $T && git checkout -b "$B" main ) || \
+    (echo FAILED to create target branch; exit 1)
+
+(cd $T; git rm -r latest; rm -rf latest; mkdir latest; git commit -m "Removing old latest")
+
+cp -R . "$T/$V" || ( echo copy FAILED; exit 1 )
+## Copy the latest snapshot "$T/$V" to the latest folder "$T/latest/"
+cp -R "$T/$V/." "$T/latest"
+cp Snapshots.md "$T"
+
+## Tweaks to snapshot files
+
+### Remove developer documentation
+rm -f -r "$T/$V/dev" "$T/latest/dev" > $P/removals
+### Adjust version information
+echo "$V release snapshot" > "$T/$V/DafnyRef/version.txt"
+echo "Latest release snapshot" > "$T/latest/DafnyRef/version.txt"
+
+grep -q "$M" $T/$V/index.html || (echo FAILED: No Version marker line in "$T/$V/index.html" ; exit 1 )
+
+sed -i -e "s/$M.*/${M}$V documentation snapshot/" $T/$V/index.html || (echo Version replacement FAILED; exit 1; )
+sed -i -e "s/$M.*/${M}Latest release documentation snapshot/" $T/latest/index.html || (echo Version replacement FAILED; exit 1; )
+
+CWD=`pwd`
+cd $T
+rm `find . -name index.html-e`
+
+(git add -u \
+  && git add "$V" \
+  && git add latest \
+  && (git commit -m "Documentation snapshot for $V" > $P/commitmessage )  \
+  ) || ( echo FAILED to commit or push the snapshot ; exit 1  ) \
+
+git status
+git push --set-upstream origin "$B"
+gh pr create --fill -R https://github.com/dafny-lang/dafny-lang.github.io -B main --head "$B" | tail -1 > $P/url2
+cd $CWD
+
+##diff -r . $T/latest
+##diff -r . $T/$V
+echo "Approve and merge these PRs: " `cat $P/url1` `cat $P/url2`
+echo "When complete, delete $P"
diff --git a/v4.10.0/news/6006.fix b/v4.10.0/news/6006.fix
new file mode 100644
index 0000000..33dd67b
--- /dev/null
+++ b/v4.10.0/news/6006.fix
@@ -0,0 +1 @@
+Fix soundness bug that could occur for opaque blocks with empty modifies clauses
\ No newline at end of file
diff --git a/v4.10.0/news/6028.feat b/v4.10.0/news/6028.feat
new file mode 100644
index 0000000..2bfb795
--- /dev/null
+++ b/v4.10.0/news/6028.feat
@@ -0,0 +1 @@
+Change the default value for --verification-time-limit to 30 seconds instead of 0 (no limit)
\ No newline at end of file
diff --git a/v4.10.0/news/fix.3809 b/v4.10.0/news/fix.3809
new file mode 100644
index 0000000..177fb99
--- /dev/null
+++ b/v4.10.0/news/fix.3809
@@ -0,0 +1 @@
+Fix C#, Java and Go generated code when a datatype contains a method named 'Default'
diff --git a/v4.10.0/news/fix.5746 b/v4.10.0/news/fix.5746
new file mode 100644
index 0000000..19e1b00
--- /dev/null
+++ b/v4.10.0/news/fix.5746
@@ -0,0 +1 @@
+Fix C# generated code when a module contains a type with the same name
diff --git a/v4.10.0/news/fix.6014 b/v4.10.0/news/fix.6014
new file mode 100644
index 0000000..614d71f
--- /dev/null
+++ b/v4.10.0/news/fix.6014
@@ -0,0 +1 @@
+Fix Java generated code when a module contains a type with the same name
diff --git a/v4.10.0/style.css b/v4.10.0/style.css
new file mode 100644
index 0000000..a122652
--- /dev/null
+++ b/v4.10.0/style.css
@@ -0,0 +1,74 @@
+body {
+    font-family: ui-sans-serif, sans-serif;
+    max-width: 40em;
+    margin: auto;
+    padding: 1em;
+    position: relative;
+    line-height: 1.5;
+}
+
+h1 {
+    text-align: center;
+}
+
+#logo {
+    width: 100%;
+}
+
+@media (min-width: 25em) {
+    #logo {
+        float: left;
+        margin: 0 1em 0.5em 0;
+        max-width: 100%;
+        width: 10em;
+    }
+}
+
+nav {
+    margin: 1.35em 0;
+}
+
+nav h2 {
+    margin-bottom: 0.5em;
+}
+
+nav ul {
+    margin: 0;
+}
+
+@media (min-width: 67em) {
+    body {
+        max-width: 65em;
+    }
+
+    nav {
+        float: right;
+        margin-top: 0;
+        position: sticky;
+        top: 1em;
+        width: 22.5em;
+    }
+
+    nav h2 {
+        margin-top: 0;
+        margin-left: 0.5em;
+    }
+
+    main {
+        margin-right: 22.5em;
+    }
+}
+
+#snapshot {
+    margin: 0;
+}
+
+#snapshot img {
+    width: 100%;
+}
+
+#snapshot figcaption {
+    font-style: italic;
+    margin-top: 0.25em;
+    text-align: center;
+}
diff --git a/v4.10.0/toc.md b/v4.10.0/toc.md
new file mode 100644
index 0000000..cd3da7a
--- /dev/null
+++ b/v4.10.0/toc.md
@@ -0,0 +1,71 @@
+---
+title: Dafny Resources for Users
+layout: default
+# Feel free to add content and custom Front Matter to this file.
+# To modify the layout, see https://jekyllrb.com/docs/themes/#overriding-theme-defaults
+---
+
+<link rel="stylesheet" href="assets/main.css">
+
+<font size="+4"><p style="text-align: center;">Dafny Documentation</p></font>
+
+<p style="text-align: center;">
+{% include_relative DafnyRef/version.txt %}
+</p>
+
+This page contains links to Dafny documentation.
+
+[Project site for releases, issues, installation instructions, and source code](https://github.com/dafny-lang/dafny)
+
+* Quick start material:
+   * [Installation](./Installation) and [Releases](https://github.com/dafny-lang/dafny/releases)
+   * [Cheatsheet](DafnyCheatsheet.pdf)
+   * Dafny [Quick Reference](./QuickReference)
+   * [Getting started tutorial](./OnlineTutorial/guide), focusing mostly on simple imperative programs
+   * [Dafny blog](https://dafny.org/blog)
+* Detailed documents for programmers
+   * [**Dafny Reference Manual**](DafnyRef/DafnyRef)
+   * [FAQs](HowToFAQ/index)
+   * [Explanations of Error and Warning messages](HowToFAQ/Errors)
+   * [Verification optimization guide](VerificationOptimization/VerificationOptimization)
+   * [**Style Guide for Dafny programs**](StyleGuide/Style-Guide)
+   * Language reference for the [Dafny type system](http://leino.science/papers/krml243.html), which also describes available expressions for each type
+   * [Miscellaneous Examples of Dafny programs](examples/README)
+* Dafny Tutorials
+   * [Cheat sheet appendix from Leino's book](Dafny-cheat-sheet.pdf)
+   * [Introduction to Dafny](OnlineTutorial/guide)
+   * [Value Types](OnlineTutorial/ValueTypes)
+   * [Sets](OnlineTutorial/Sets)
+   * [Sequences](OnlineTutorial/Sequences)
+   * [Lemmas and Induction](OnlineTutorial/Lemmas)
+   * [Modules](OnlineTutorial/Modules)
+   * [Termination](OnlineTutorial/Termination)
+   * [A Tutorial on Using Dafny to Construct Verified Software](https://arxiv.org/pdf/1701.04481.pdf), Paqui Lucio, 2017
+* Forums for Q&amp;A (#discussion)
+   * [Problem reports](https://github.com/dafny-lang/dafny/issues) and [discussions](https://github.com/dafny-lang/dafny/discussions) on GitHub
+   * Dafny-tagged queries on [Stackoverflow](https://stackoverflow.com/questions/tagged/dafny)
+
+There are also publications and lecture notes:
+
+* 4-part course on the _Basics of specification and verification of code_:
+  - Lecture 0: [Pre- and postconditions](https://youtu.be/oLS_y842fMc) (19:08)
+  - Lecture 1: [Invariants](https://youtu.be/J0FGb6PyO_k) (20:56)
+  - Lecture 2: [Binary search](https://youtu.be/-_tx3lk7yn4) (21:14)
+  - Lecture 3: [Dutch National Flag algorithm](https://youtu.be/dQC5m-GZYbk) (20:33)
+* Overview article: [Accessible Software Verification with Dafny](https://www.computer.org/csdl/mags/so/2017/06/mso2017060094-abs.html), IEEE Software, Nov/Dec 2017
+* [3-page tutorial notes](http://leino.science/papers/krml233.pdf) with examples (ICSE 2013)
+* [Dafny Power User](http://leino.science/dafny-power-user)
+* Videos at [Verification Corner](https://www.youtube.com/channel/UCP2eLEql4tROYmIYm5mA27A)
+
+And some books:
+* K. Rustan M. Leino, 2023, [_Program Proofs_](https://mitpress.mit.edu/9780262546232/program-proofs/), available March, 2023.
+* K. Rustan M. Leino and Kaleb Leino, 2020, [_Program Proofs_](https://www.lulu.com/shop/k-rustan-m-leino-and-kaleb-leino/program-proofs/paperback/product-wqy8w5.html). Draft version of the book being published by MIT Press, available only until its release in March 2023. 
+* Boro Sitnovski, 2022, [_Introducing Software Verification with Dafny Language_](https://link.springer.com/book/10.1007/978-1-4842-7978-6_)
+* Jason Koenig, K. Rustan M. Leino, 2016, [_Getting Started with Dafny: A Guide_](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/12/krml220.pdf)
+
+Miscellaneous notes about compiling Dafny code
+   * [Go](Compilation/Go)
+   * [Strings and Characters](Compilation/StringsAndChars)
+   * [Reference values](Compilation/ReferenceTypes)
+   * [Automatic Initialization of Variables](Compilation/AutoInitialization)
+   * [Boogie](Compilation/Boogie)