BMC: completeness thresholds larger than one

kroening · kroening · commit 8bc59f2babb5 · 2025-05-18T21:57:13.000+01:00
diff --git a/regression/verilog/SVA/initial1.bmc.desc b/regression/verilog/SVA/initial1.bmc.desc
@@ -3,7 +3,7 @@ initial1.sv
 --module main
 ^\[main\.p0\] main\.counter == 0: PROVED$
 ^\[main\.p1\] main\.counter == 100: REFUTED$
-^\[main\.p2\] ##1 main\.counter == 1: PROVED up to bound 5$
+^\[main\.p2\] ##1 main\.counter == 1: PROVED$
 ^\[main\.p3\] ##1 main\.counter == 100: REFUTED$
 ^\[main\.p4\] s_nexttime main\.counter == 1: PROVED$
 ^\[main\.p5\] always \[1:1\] main\.counter == 1: PROVED$
diff --git a/regression/verilog/SVA/named_sequence1.desc b/regression/verilog/SVA/named_sequence1.desc
@@ -1,7 +1,7 @@
 CORE
 named_sequence1.sv
 
-^\[main\.assert\.1\] always main\.x_is_ten: PROVED up to bound 5$
+^\[main\.assert\.1\] always main\.x_is_ten: PROVED$
 ^EXIT=0$
 ^SIGNAL=0$
 --
diff --git a/regression/verilog/SVA/sequence6.desc b/regression/verilog/SVA/sequence6.desc
@@ -1,7 +1,7 @@
 CORE
 sequence6.sv
 
-^\[main\.p0\] \(1 ##1 1\) \|-> main\.x == 1: PROVED up to bound 5$
+^\[main\.p0\] \(1 ##1 1\) \|-> main\.x == 1: PROVED$
 ^EXIT=0$
 ^SIGNAL=0$
 --
diff --git a/regression/verilog/SVA/sequence_and1.bmc.desc b/regression/verilog/SVA/sequence_and1.bmc.desc
@@ -3,9 +3,9 @@ sequence_and1.sv
 
 ^\[main\.p0\] main\.x == 0 and main\.x == 1: REFUTED$
 ^\[main\.p1\] strong\(main\.x == 0 and main\.x == 1\): REFUTED$
-^\[main\.p2\] main\.x == 0 and \(nexttime main\.x == 1\): PROVED up to bound \d+$
-^\[main\.p3\] \(nexttime main\.x == 1\) and main\.x == 0: PROVED up to bound \d+$
-^\[main\.p4\] \(main\.x == 0 and main\.x != 10\) |=> main\.x == 1: PROVED up to bound \d+$
+^\[main\.p2\] main\.x == 0 and \(nexttime main\.x == 1\): PROVED$
+^\[main\.p3\] \(nexttime main\.x == 1\) and main\.x == 0: PROVED$
+^\[main\.p4\] \(main\.x == 0 and main\.x != 10\) |=> main\.x == 1: PROVED$
 ^EXIT=10$
 ^SIGNAL=0$
 --
diff --git a/regression/verilog/SVA/sequence_and2.desc b/regression/verilog/SVA/sequence_and2.desc
@@ -1,8 +1,8 @@
 CORE
 sequence_and2.sv
 
-\[.*\] \(1 and \(##2 1\)\) \|-> main\.x == 2: PROVED up to bound 5$
-\[.*\] \(\(##2 1\) and 1\) \|-> main\.x == 2: PROVED up to bound 5$
+\[.*\] \(1 and \(##2 1\)\) \|-> main\.x == 2: PROVED$
+\[.*\] \(\(##2 1\) and 1\) \|-> main\.x == 2: PROVED$
 ^EXIT=0$
 ^SIGNAL=0$
 --
diff --git a/regression/verilog/SVA/sequence_and3.desc b/regression/verilog/SVA/sequence_and3.desc
@@ -3,8 +3,8 @@ sequence_and3.sv
 
 ^\[.*\] \(\(1 or \(##2 1\)\) and 1\) \|-> main\.x == 2: REFUTED$
 ^\[.*\] \(1 and \(1 or \(##2 1\)\)\) \|-> main\.x == 2: REFUTED$
-^\[.*\] \(\(1 or \(##2 1\)\) and 1\) \|-> main\.x == 0 \|\| main\.x == 2: PROVED up to bound 5$
-^\[.*\] \(1 and \(1 or \(##2 1\)\)\) \|-> main\.x == 0 \|\| main\.x == 2: PROVED up to bound 5$
+^\[.*\] \(\(1 or \(##2 1\)\) and 1\) \|-> main\.x == 0 \|\| main\.x == 2: PROVED$
+^\[.*\] \(1 and \(1 or \(##2 1\)\)\) \|-> main\.x == 0 \|\| main\.x == 2: PROVED$
 ^EXIT=10$
 ^SIGNAL=0$
 --
diff --git a/regression/verilog/SVA/sequence_or1.desc b/regression/verilog/SVA/sequence_or1.desc
@@ -3,9 +3,9 @@ sequence_or1.sv
 
 ^\[main\.p0\] main\.x == 0 or main\.x == 1: PROVED$
 ^\[main\.p1\] strong\(main\.x == 0 or main\.x == 1\): PROVED$
-^\[main\.p2\] main\.x == 0 or \(nexttime main\.x == 1\): PROVED up to bound \d+$
-^\[main\.p3\] \(nexttime main\.x == 1\) or main\.x == 1: PROVED up to bound \d+$
-^\[main\.p4\] \(main\.x == 0 or main\.x != 10\) |=> main\.x == 1: PROVED up to bound \d+$
+^\[main\.p2\] main\.x == 0 or \(nexttime main\.x == 1\): PROVED$
+^\[main\.p3\] \(nexttime main\.x == 1\) or main\.x == 1: PROVED$
+^\[main\.p4\] \(main\.x == 0 or main\.x != 10\) |=> main\.x == 1: PROVED$
 ^EXIT=0$
 ^SIGNAL=0$
 --
diff --git a/regression/verilog/SVA/sequence_repetition4.desc b/regression/verilog/SVA/sequence_repetition4.desc
@@ -1,7 +1,7 @@
 CORE
 sequence_repetition4.sv
 
-^\[main\.p0\] \(main\.x == 0 ##1 main\.x == 1\) \[\*2\]: PROVED up to bound \d+$
+^\[main\.p0\] \(main\.x == 0 ##1 main\.x == 1\) \[\*2\]: PROVED$
 ^\[main\.p1\] \(main\.x == 0 ##1 main\.x == 1 ##1 main\.x == 0\) \[\*2\]: REFUTED$
 ^EXIT=10$
 ^SIGNAL=0$
diff --git a/src/ebmc/completeness_threshold.cpp b/src/ebmc/completeness_threshold.cpp
@@ -16,16 +16,20 @@ Author: Daniel Kroening, dkr@amazon.com
 
 #include "bmc.h"
 
-bool has_low_completeness_threshold(const exprt &expr)
+// counting number of transitions
+std::optional<mp_integer> completeness_threshold(const exprt &expr)
 {
   if(!has_temporal_operator(expr))
   {
-    return true; // state predicate only
+    return 0; // state predicate only
   }
   else if(expr.id() == ID_X)
   {
     // X p
-    return !has_temporal_operator(to_X_expr(expr).op());
+    if(has_temporal_operator(to_X_expr(expr).op()))
+      return {};
+    else
+      return 1;
   }
   else if(
     expr.id() == ID_sva_nexttime || expr.id() == ID_sva_s_nexttime ||
@@ -41,11 +45,12 @@ bool has_low_completeness_threshold(const exprt &expr)
       return false;
     else if(always_expr.upper().is_constant())
     {
-      auto lower_int = numeric_cast_v<mp_integer>(always_expr.lower());
       auto upper_int =
         numeric_cast_v<mp_integer>(to_constant_expr(always_expr.upper()));
-      return lower_int >= 0 && lower_int <= 1 && upper_int >= 0 &&
-             upper_int <= 1;
+      if(upper_int < 0)
+        return {};
+      else
+        return upper_int;
     }
     else
       return false;
@@ -57,29 +62,38 @@ bool has_low_completeness_threshold(const exprt &expr)
       return false;
     else
     {
-      auto lower_int = numeric_cast_v<mp_integer>(s_always_expr.lower());
       auto upper_int = numeric_cast_v<mp_integer>(s_always_expr.upper());
-      return lower_int >= 0 && lower_int <= 1 && upper_int >= 0 &&
-             upper_int <= 1;
+      if(upper_int < 0)
+        return {};
+      else
+        return upper_int;
     }
   }
   else if(
     expr.id() == ID_sva_strong || expr.id() == ID_sva_weak ||
     expr.id() == ID_sva_implicit_strong || expr.id() == ID_sva_implicit_weak)
   {
     auto &sequence = to_sva_sequence_property_expr_base(expr).sequence();
-    return has_low_completeness_threshold(sequence);
+    return completeness_threshold(sequence);
   }
   else if(expr.id() == ID_sva_boolean)
   {
-    return true;
+    return 0; // state predicate only
   }
   else if(expr.id() == ID_sva_or || expr.id() == ID_sva_and)
   {
+    mp_integer max_ct = 0;
+
     for(auto &op : expr.operands())
-      if(!has_low_completeness_threshold(op))
-        return false;
-    return true;
+    {
+      auto ct_op = completeness_threshold(op);
+      if(ct_op.has_value())
+        max_ct = std::max(*ct_op, max_ct);
+      else
+        return {}; // no CT
+    }
+
+    return max_ct;
   }
   else if(expr.id() == ID_sva_sequence_property)
   {
@@ -89,17 +103,23 @@ bool has_low_completeness_threshold(const exprt &expr)
     return false;
 }
 
-bool has_low_completeness_threshold(const ebmc_propertiest::propertyt &property)
+std::optional<mp_integer> completeness_threshold(const ebmc_propertiest::propertyt &property)
 {
-  return has_low_completeness_threshold(property.normalized_expr);
+  return completeness_threshold(property.normalized_expr);
 }
 
-bool have_low_completeness_threshold(const ebmc_propertiest &properties)
+std::optional<mp_integer> completeness_threshold(const ebmc_propertiest &properties)
 {
+  std::optional<mp_integer> max_ct;
+
   for(auto &property : properties.properties)
-    if(has_low_completeness_threshold(property))
-      return true;
-  return false;
+  {
+    auto ct_opt = completeness_threshold(property);
+    if(ct_opt.has_value())
+      max_ct = std::max(max_ct.value_or(0), *ct_opt);
+  }
+
+  return max_ct;
 }
 
 property_checker_resultt completeness_threshold(
@@ -110,13 +130,15 @@ property_checker_resultt completeness_threshold(
   message_handlert &message_handler)
 {
   // Do we have an eligibile property?
-  if(!have_low_completeness_threshold(properties))
+  auto ct_opt = completeness_threshold(properties);
+
+  if(!ct_opt.has_value())
     return property_checker_resultt{properties}; // give up
 
   // Do BMC with two timeframes
   auto result = bmc(
-    1,     // bound
-    false, // convert_only
+    numeric_cast_v<std::size_t>(*ct_opt), // bound
+    false,   // convert_only
     cmdline.isset("bmc-with-assumptions"),
     transition_system,
     properties,
@@ -128,7 +150,7 @@ property_checker_resultt completeness_threshold(
     if(property.is_proved_with_bound())
     {
       // Turn "PROVED up to bound k" into "PROVED" if k>=CT
-      if(has_low_completeness_threshold(property) && property.bound >= 1)
+      if(completeness_threshold(property).has_value())
         property.proved();
       else
         property.unknown();
