Formal verification of divide-and-conquer algorithms like merge sort faces challenges in achieving end-to-end, stack-free correctness proofs—particularly for iterative implementations lacking explicit recursion. Method: We present a structured derivation pattern tailored to merge sort, modeling its recursive decomposition via a subproblem tree and leveraging this structure to synthesize precise loop invariants, enabling fully automatic verification of an iterative version in Dafny. Contribution/Results: This work delivers the first complete functional correctness proof of merge sort in Dafny for both recursive and purely iterative variants. The proposed derivation pattern and invariant construction strategy generalize to other divide-and-conquer algorithms, such as quicksort. All specifications—including preconditions, postconditions, and loop invariants—are discharged automatically by the Dafny verifier, demonstrating practical scalability and soundness.

We provide full certifications of two versions of merge sort of arrays in the verification-aware programming language Dafny. We start by considering schemas for applying the divide-and-conquer or partition method of solution to specifications given by pre- and post-conditions involving linear arrays. We then derive the merge sort and merging algorithms as instances of these schemas, thereby arriving at a fully recursive formulation. Further, the analysis of the tree of subproblems arising from the partition facilitates the design of loop invariants that allow to derive a fully iterative version (sometimes called bottom-up merge sort) that does not employ a stack. We show how the use of the provided schemas conveniently conducts the formalization and actual verification in Dafny. The whole method is also applicable to deriving variants of quicksort, which we sketch.