009-rolling-max does not show that bounds are tight

[jesyspa]

The conditions on rolling_max show that the returned sequence is a non-decreasing pointwise upper bound on the original sequence, but it does not show that it is the minimal such sequence.

There are two directions one can go with strengthening this: express the property explicitly (result[i] is the maximum of the previous elements, i.e. an upper bound and equal to one of them) or express indirectly (e.g. always equal to previous upper bound or the element, first element of result and input are the same). The former is probably more work, but would be neater.

[jesyspa]

One thing to note here: the invariant uses old, but this has no effect in this context. old isn't about the value of the variable before the loop iteration, it's about the heap state. So I'm fairly sure there's something weird going on with the verification here.