SystemVerilog: distinguish assertions

This changes the front-end to distinguish three kinds of assertions/assumptions:

1) concurrent assertions/assumptions ("assert property"), which can be
module items or statements,

2) immediate assertion/assumption statements, and

3) SMV-style assertions/assumptions.

Front-end and BMC back-end support for initial concurrent assertion
statements is added.

Author: kroening

regression/verilog/SVA/initial1.desc

@@ -1,9 +1,13 @@
-KNOWNBUG
+CORE
 initial1.sv
 --module main --bound 1
-^EXIT=0$
+^\[main\.property\.1\] main\.counter == 0: PROVED up to bound 1$
+^\[main\.property\.2\] main\.counter == 100: REFUTED$
+^\[main\.property\.3\] ##1 main\.counter == 1: PROVED up to bound 1$
+^\[main\.property\.4\] ##1 main\.counter == 100: REFUTED$
+^\[main\.property\.5\] s_nexttime main\.counter == 1: FAILURE: property not supported by BMC engine$
+^EXIT=10$
 ^SIGNAL=0$
 --
 ^warning: ignoring
 --
-Syntax is missing for initial label: assert property (...);

regression/verilog/SVA/initial1.sv

@@ -14,7 +14,16 @@ module main(input clk);
   // expected to pass
   initial p0: assert property (counter == 0);
 
+  // expected to fail
+  initial p1: assert property (counter == 100);
+
+  // expected to pass
+  initial p2: assert property (##1 counter == 1);
+
+  // expected to fail
+  initial p2: assert property (##1 counter == 100);
+
   // expected to pass if there are timeframes 0 and 1
-  initial p1: assert property (s_nexttime counter == 1);
+  initial p3: assert property (s_nexttime counter == 1);
 
 endmodule

regression/verilog/modules/parameters2.v

@@ -10,7 +10,7 @@ module test(in1, in2);
 
   my_m #( .Ptop(P), .Qtop(Q) ) m_instance(in1, in2, o1, o2); 
 
-  assert property1: tmp == 4; // should pass
+  always assert property1: tmp == 4; // should pass
 
 endmodule                       
 
@@ -25,6 +25,6 @@ module my_m(a, b, c, d);
 
   wire [3:0] tmp_in_m = Ptop; // tmp1 should be 4 now  
 
-  assert property2: tmp_in_m == 4; // should pass
+  always assert property2: tmp_in_m == 4; // should pass
 
 endmodule

regression/verilog/tasks/tasks1.v

@@ -12,6 +12,6 @@ module main;
     some_task(x, y);
   end
 
-  assert p1: y==x+1;
+  always assert p1: y==x+1;
 
 endmodule

src/hw-cbmc/Makefile

@@ -35,6 +35,7 @@ OBJ+= $(CPROVER_DIR)/goto-checker/goto-checker$(LIBEXT) \
       $(CPROVER_DIR)/solvers/solvers$(LIBEXT) \
       $(CPROVER_DIR)/util/util$(LIBEXT) \
       $(CPROVER_DIR)/json/json$(LIBEXT) \
+      ../temporal-logic/temporal-logic$(LIBEXT) \
       ../trans-netlist/trans_trace$(OBJEXT) \
       ../trans-word-level/trans-word-level$(LIBEXT)
 

src/hw_cbmc_irep_ids.h

@@ -66,6 +66,11 @@ IREP_ID_ONE(force)
 IREP_ID_ONE(deassign)
 IREP_ID_ONE(continuous_assign)
 IREP_ID_ONE(wait)
+IREP_ID_ONE(verilog_assert_property)
+IREP_ID_ONE(verilog_assume_property)
+IREP_ID_ONE(verilog_cover_property)
+IREP_ID_ONE(verilog_smv_assert)
+IREP_ID_ONE(verilog_smv_assume)
 IREP_ID_ONE(verilog_always)
 IREP_ID_ONE(verilog_always_comb)
 IREP_ID_ONE(verilog_always_ff)
@@ -76,7 +81,6 @@ IREP_ID_ONE(initial)
 IREP_ID_ONE(verilog_label_statement)
 IREP_ID_ONE(disable)
 IREP_ID_ONE(fork)
-IREP_ID_ONE(cover)
 IREP_ID_ONE(instance)
 IREP_ID_ONE(named_parameter_assignment)
 IREP_ID_ONE(parameter_assignment)

src/trans-word-level/property.cpp

@@ -14,6 +14,7 @@ Author: Daniel Kroening, [email protected]
 #include <util/symbol_table.h>
 
 #include <temporal-logic/temporal_expr.h>
+#include <temporal-logic/temporal_logic.h>
 #include <verilog/sva_expr.h>
 
 #include "instantiate_word_level.h"
@@ -34,8 +35,8 @@ Function: bmc_supports_property
 
 bool bmc_supports_property(const exprt &expr)
 {
-  if(expr.is_constant())
-    return true;
+  if(!has_temporal_operator(expr))
+    return true; // initial state only
   else if(expr.id() == ID_AG)
     return true;
   else if(expr.id() == ID_G)
@@ -68,9 +69,23 @@ void property(
 {
   messaget message(message_handler);
 
-  if(property_expr.is_true())
+  // Initial state only property?
+  if(!has_temporal_operator(property_expr))
   {
-    prop_handles.resize(no_timeframes, true_exprt());
+    for(std::size_t t = 0; t < no_timeframes; t++)
+    {
+      exprt prop_handle;
+      if(t == 0)
+      {
+        exprt tmp = instantiate(property_expr, t, no_timeframes, ns);
+        prop_handle = solver.handle(tmp);
+      }
+      else
+        prop_handle = true_exprt();
+
+      prop_handles.push_back(std::move(prop_handle));
+    }
+
     return;
   }
 

src/verilog/parser.y

@@ -1954,10 +1954,10 @@ concurrent_assertion_statement:
 
 assert_property_statement:
           TOK_ASSERT TOK_PROPERTY '(' property_expr ')' action_block
-		{ init($$, ID_assert); mto($$, $4); mto($$, $6); }
+		{ init($$, ID_verilog_assert_property); mto($$, $4); mto($$, $6); }
 	| /* this one is in because SMV does it */
 	  TOK_ASSERT property_identifier TOK_COLON expression ';'
-		{ init($$, ID_assert); stack_expr($$).operands().resize(2);
+		{ init($$, ID_verilog_smv_assert); stack_expr($$).operands().resize(2);
 		  to_binary_expr(stack_expr($$)).op0().swap(stack_expr($4));
 		  to_binary_expr(stack_expr($$)).op1().make_nil();
 		  stack_expr($$).set(ID_identifier, stack_expr($2).id());
@@ -1966,18 +1966,18 @@ assert_property_statement:
 
 assume_property_statement:
           TOK_ASSUME TOK_PROPERTY '(' property_expr ')' action_block
-		{ init($$, ID_assume); mto($$, $4); mto($$, $6); }
+		{ init($$, ID_verilog_assume_property); mto($$, $4); mto($$, $6); }
 	| /* this one is in because SMV does it */
 	  TOK_ASSUME property_identifier TOK_COLON expression ';'
-		{ init($$, ID_assume); stack_expr($$).operands().resize(2);
+		{ init($$, ID_verilog_smv_assume); stack_expr($$).operands().resize(2);
 		  to_binary_expr(stack_expr($$)).op0().swap(stack_expr($4));
 		  to_binary_expr(stack_expr($$)).op1().make_nil();
 		  stack_expr($$).set(ID_identifier, stack_expr($2).id());
 		}
 	;
 
 cover_property_statement: TOK_COVER TOK_PROPERTY '(' expression ')' action_block
-		{ init($$, ID_cover); mto($$, $4); mto($$, $6); }
+		{ init($$, ID_verilog_cover_property); mto($$, $4); mto($$, $6); }
 	;
 
 assertion_item_declaration:

src/verilog/verilog_elaborate.cpp

@@ -628,6 +628,17 @@ void verilog_typecheckt::collect_symbols(const verilog_statementt &statement)
   if(statement.id() == ID_assert || statement.id() == ID_assume)
   {
   }
+  else if(
+    statement.id() == ID_verilog_assert_property ||
+    statement.id() == ID_verilog_assume_property ||
+    statement.id() == ID_verilog_cover_property)
+  {
+  }
+  else if(
+    statement.id() == ID_verilog_smv_assert ||
+    statement.id() == ID_verilog_smv_assume)
+  {
+  }
   else if(statement.id() == ID_block)
   {
     // These may be named
@@ -758,7 +769,10 @@ void verilog_typecheckt::collect_symbols(
   else if(module_item.id() == ID_continuous_assign)
   {
   }
-  else if(module_item.id() == ID_assert || module_item.id() == ID_assume)
+  else if(
+    module_item.id() == ID_verilog_assert_property ||
+    module_item.id() == ID_verilog_assume_property ||
+    module_item.id() == ID_verilog_cover_property)
   {
   }
   else if(module_item.id() == ID_parameter_override)

src/verilog/verilog_expr.h

@@ -1598,11 +1598,12 @@ inline verilog_non_blocking_assignt &to_verilog_non_blocking_assign(exprt &expr)
   return static_cast<verilog_non_blocking_assignt &>(expr);
 }
 
-/// Verilog concurrent assertions
+/// Verilog concurrent assertion module item
 class verilog_assert_module_itemt : public verilog_module_itemt
 {
 public:
-  verilog_assert_module_itemt() : verilog_module_itemt(ID_assert)
+  verilog_assert_module_itemt()
+    : verilog_module_itemt(ID_verilog_assert_property)
   {
     operands().resize(2);
   }
@@ -1631,24 +1632,25 @@ class verilog_assert_module_itemt : public verilog_module_itemt
 inline const verilog_assert_module_itemt &
 to_verilog_assert_module_item(const verilog_module_itemt &module_item)
 {
-  PRECONDITION(module_item.id() == ID_assert);
+  PRECONDITION(module_item.id() == ID_verilog_assert_property);
   binary_exprt::check(module_item);
   return static_cast<const verilog_assert_module_itemt &>(module_item);
 }
 
 inline verilog_assert_module_itemt &
 to_verilog_assert_module_item(verilog_module_itemt &module_item)
 {
-  PRECONDITION(module_item.id() == ID_assert);
+  PRECONDITION(module_item.id() == ID_verilog_assert_property);
   binary_exprt::check(module_item);
   return static_cast<verilog_assert_module_itemt &>(module_item);
 }
 
-/// Verilog concurrent assumptions
+/// Verilog concurrent assumption module item
 class verilog_assume_module_itemt : public verilog_module_itemt
 {
 public:
-  verilog_assume_module_itemt() : verilog_module_itemt(ID_assume)
+  verilog_assume_module_itemt()
+    : verilog_module_itemt(ID_verilog_assume_property)
   {
     operands().resize(2);
   }
@@ -1677,20 +1679,23 @@ class verilog_assume_module_itemt : public verilog_module_itemt
 inline const verilog_assume_module_itemt &
 to_verilog_assume_module_item(const verilog_module_itemt &module_item)
 {
-  PRECONDITION(module_item.id() == ID_assume);
+  PRECONDITION(module_item.id() == ID_verilog_assume_property);
   binary_exprt::check(module_item);
   return static_cast<const verilog_assume_module_itemt &>(module_item);
 }
 
 inline verilog_assume_module_itemt &
 to_verilog_assume_module_item(verilog_module_itemt &module_item)
 {
-  PRECONDITION(module_item.id() == ID_assume);
+  PRECONDITION(module_item.id() == ID_verilog_assume_property);
   binary_exprt::check(module_item);
   return static_cast<verilog_assume_module_itemt &>(module_item);
 }
 
-// Intermediate assertion statements, and SMV-style assertions.
+// Can be one of three:
+// 1) Intermediate assertion statement
+// 2) Concurrent assertion statement
+// 3) SMV-style assertion statement
 class verilog_assert_statementt : public verilog_statementt
 {
 public:
@@ -1725,20 +1730,29 @@ class verilog_assert_statementt : public verilog_statementt
 inline const verilog_assert_statementt &
 to_verilog_assert_statement(const verilog_statementt &statement)
 {
-  PRECONDITION(statement.id() == ID_assert);
+  PRECONDITION(
+    statement.id() == ID_assert ||
+    statement.id() == ID_verilog_assert_property ||
+    statement.id() == ID_verilog_smv_assert);
   binary_exprt::check(statement);
   return static_cast<const verilog_assert_statementt &>(statement);
 }
 
 inline verilog_assert_statementt &
 to_verilog_assert_statement(verilog_statementt &statement)
 {
-  PRECONDITION(statement.id() == ID_assert);
+  PRECONDITION(
+    statement.id() == ID_assert ||
+    statement.id() == ID_verilog_assert_property ||
+    statement.id() == ID_verilog_smv_assert);
   binary_exprt::check(statement);
   return static_cast<verilog_assert_statementt &>(statement);
 }
 
-// Intermediate assumption statements, and SMV-style assumptions.
+// Can be one of three:
+// 1) Intermediate assumption statement
+// 2) Concurrent assumption statement
+// 3) SMV-style assumption statement
 class verilog_assume_statementt : public verilog_statementt
 {
 public:
@@ -1773,15 +1787,21 @@ class verilog_assume_statementt : public verilog_statementt
 inline const verilog_assume_statementt &
 to_verilog_assume_statement(const verilog_statementt &statement)
 {
-  PRECONDITION(statement.id() == ID_assume);
+  PRECONDITION(
+    statement.id() == ID_assume ||
+    statement.id() == ID_verilog_assume_property ||
+    statement.id() == ID_verilog_smv_assume);
   binary_exprt::check(statement);
   return static_cast<const verilog_assume_statementt &>(statement);
 }
 
 inline verilog_assume_statementt &
 to_verilog_assume_statement(verilog_statementt &statement)
 {
-  PRECONDITION(statement.id() == ID_assume);
+  PRECONDITION(
+    statement.id() == ID_assume ||
+    statement.id() == ID_verilog_assume_property ||
+    statement.id() == ID_verilog_smv_assume);
   binary_exprt::check(statement);
   return static_cast<verilog_assume_statementt &>(statement);
 }