Verilog: fix semantics of cover disable iff

CHANGELOG

@@ -1,5 +1,7 @@
 # EBMC 5.8
 
+* SystemVerilog: cover sequence
+
 # EBMC 5.7
 
 * Verilog: --initial-zero changes the default value from nondet to zero

regression/verilog/SVA/cover_sequence1.sv

@@ -7,9 +7,9 @@ module main(input clk);
     x++;
 
   // expected to pass
-  p0: cover property (x==2 ##1 x==3 ##1 x==4);
+  p0: cover sequence (x==2 ##1 x==3 ##1 x==4);
 
   // expected to fail
-  p1: cover property (x==2 ##1 x==3 ##1 x==5);
+  p1: cover sequence (x==2 ##1 x==3 ##1 x==5);
 
 endmodule

regression/verilog/SVA/cover_sequence2.sv

@@ -7,15 +7,15 @@ module main(input clk);
     x++;
 
   // expected to fail
-  p0: cover property (x==2 ##1 x==3 ##1 x==100);
+  p0: cover sequence (x==2 ##1 x==3 ##1 x==100);
 
   // expected to fail until x reaches 100
-  p1: cover property (x==98 ##1 x==99 ##1 x==100);
+  p1: cover sequence (x==98 ##1 x==99 ##1 x==100);
 
   // expected to pass once x reaches 5
-  p2: cover property (x==3 ##1 x==4 ##1 x==5);
+  p2: cover sequence (x==3 ##1 x==4 ##1 x==5);
 
   // expected to pass once x reaches 6
-  p3: cover property (x==4 ##1 x==5 ##1 x==6);
+  p3: cover sequence (x==4 ##1 x==5 ##1 x==6);
 
 endmodule

regression/verilog/SVA/cover_sequence3.sv

@@ -7,12 +7,12 @@ module main(input clk);
     x++;
 
   // passes with bound >=9
-  p0: cover property (1[*10]);
+  p0: cover sequence (1[*10]);
 
   // passes with bound >=3
-  p1: cover property (1[*4:10]);
+  p1: cover sequence (1[*4:10]);
 
   // passes with bound >=4
-  p2: cover property (1[*5:10]);
+  p2: cover sequence (1[*5:10]);
 
 endmodule

regression/verilog/SVA/cover_sequence4.sv

@@ -7,12 +7,12 @@ module main(input clk);
     x++;
 
   // passes with bound >=9
-  p0: cover property (1[=10]);
+  p0: cover sequence (1[=10]);
 
   // passes with bound >=3
-  p1: cover property (1[=4:10]);
+  p1: cover sequence (1[=4:10]);
 
   // passes with bound >=4
-  p2: cover property (1[=5:10]);
+  p2: cover sequence (1[=5:10]);
 
 endmodule

regression/verilog/SVA/cover_sequence5.desc

@@ -1,9 +1,8 @@
-KNOWNBUG
+CORE
 cover_sequence5.sv
 --bound 10
 ^EXIT=10$
 ^SIGNAL=0$
 --
 ^warning: ignoring
 --
-This gives the wrong answer.

src/hw_cbmc_irep_ids.h

@@ -69,6 +69,7 @@ IREP_ID_ONE(sva_cycle_delay)
 IREP_ID_ONE(sva_cycle_delay_star)
 IREP_ID_ONE(sva_cycle_delay_plus)
 IREP_ID_ONE(sva_disable_iff)
+IREP_ID_ONE(sva_sequence_disable_iff)
 IREP_ID_ONE(sva_sequence_first_match)
 IREP_ID_ONE(sva_sequence_goto_repetition)
 IREP_ID_ONE(sva_sequence_intersect)
@@ -210,6 +211,7 @@ IREP_ID_ONE(verilog_immediate_cover)
 IREP_ID_ONE(verilog_assert_property)
 IREP_ID_ONE(verilog_assume_property)
 IREP_ID_ONE(verilog_cover_property)
+IREP_ID_ONE(verilog_cover_sequence)
 IREP_ID_ONE(verilog_covergroup)
 IREP_ID_ONE(verilog_restrict_property)
 IREP_ID_ONE(verilog_expect_property)

src/temporal-logic/normalize_property.cpp

@@ -109,11 +109,54 @@ exprt normalize_property_rec(exprt expr)
   return expr;
 }
 
+// Turn "disable iff" into an OR for assertions,
+// and into an AND for cover statements.
+void rewrite_disable_iff(exprt &expr, bool cover)
+{
+  expr.visit_post(
+    [cover](exprt &node)
+    {
+      if(node.id() == ID_sva_disable_iff)
+      {
+        auto &disable_iff = to_sva_disable_iff_expr(node);
+        if(cover)
+        {
+          // a sva_disable_iff b --> ¬a ∧ b
+          node = and_exprt{not_exprt{disable_iff.lhs()}, disable_iff.rhs()};
+        }
+        else // assertion
+        {
+          // a sva_disable_iff b --> a ∨ b
+          node = or_exprt{disable_iff.lhs(), disable_iff.rhs()};
+        }
+      }
+      else if(node.id() == ID_sva_sequence_disable_iff)
+      {
+        // only used in cover sequence (disable iff ...)
+        PRECONDITION(cover);
+        auto &disable_iff = to_sva_sequence_disable_iff_expr(node);
+        // a sva_disable_iff b --> ¬a and b
+        node = sva_and_exprt{
+          sva_boolean_exprt{
+            not_exprt{disable_iff.lhs()}, verilog_sva_sequence_typet{}},
+          disable_iff.rhs(),
+          verilog_sva_sequence_typet{}};
+      }
+    });
+}
+
 exprt normalize_property(exprt expr)
 {
   // top-level only
   if(expr.id() == ID_sva_cover)
+  {
+    rewrite_disable_iff(to_sva_cover_expr(expr).op(), true);
     expr = sva_always_exprt{sva_not_exprt{to_sva_cover_expr(expr).op()}};
+  }
+  else
+  {
+    rewrite_disable_iff(expr, false);
+  }
 
   expr = trivial_sva(expr);
 

src/temporal-logic/temporal_logic.cpp

@@ -112,7 +112,8 @@ bool is_SVA_sequence_operator(const exprt &expr)
          id == ID_sva_sequence_goto_repetition ||
          id == ID_sva_sequence_non_consecutive_repetition ||
          id == ID_sva_sequence_repetition_star ||
-         id == ID_sva_sequence_repetition_plus || id == ID_sva_boolean;
+         id == ID_sva_sequence_repetition_plus || id == ID_sva_boolean ||
+         id == ID_sva_sequence_disable_iff;
 }
 
 bool is_SVA_operator(const exprt &expr)

src/temporal-logic/trivial_sva.cpp

@@ -105,11 +105,6 @@ exprt trivial_sva(exprt expr)
                         : sva_if_expr.false_case();
     expr = if_exprt{sva_if_expr.cond(), sva_if_expr.true_case(), false_case};
   }
-  else if(expr.id() == ID_sva_disable_iff)
-  {
-    auto &disable_iff_expr = to_sva_disable_iff_expr(expr);
-    expr = or_exprt{disable_iff_expr.lhs(), disable_iff_expr.rhs()};
-  }
   else if(expr.id() == ID_sva_accept_on || expr.id() == ID_sva_sync_accept_on)
   {
     auto &sva_abort_expr = to_sva_abort_expr(expr);

src/temporal-logic/trivial_sva.h

@@ -22,7 +22,6 @@ Author: Daniel Kroening, [email protected]
 /// sva_overlapped_implication --> a -> b     if a and b are not sequences
 /// sva_if --> ? :
 /// sva_case --> ? :
-/// a sva_disable_iff b --> a ∨ b
 /// a sva_accept_on b --> a ∨ b
 /// a sva_reject_on b --> ¬a ∧ b
 /// a sva_sync_accept_on b --> a ∨ b

src/verilog/expr2verilog.cpp

@@ -680,10 +680,10 @@ Function: expr2verilogt::convert_sva_abort
 
 expr2verilogt::resultt expr2verilogt::convert_sva_abort(
   const std::string &text,
-  const sva_abort_exprt &expr)
+  const binary_exprt &expr)
 {
-  auto op0 = convert_rec(expr.condition());
-  auto op1 = convert_rec(expr.property());
+  auto op0 = convert_rec(expr.op0());
+  auto op1 = convert_rec(expr.op1());
 
   return {verilog_precedencet::MIN, text + " (" + op0.s + ") " + op1.s};
 }
@@ -1937,6 +1937,11 @@ expr2verilogt::resultt expr2verilogt::convert_rec(const exprt &src)
     return precedence = verilog_precedencet::MIN,
            convert_sva_abort("disable iff", to_sva_abort_expr(src));
 
+  else if(src.id() == ID_sva_sequence_disable_iff)
+    return precedence = verilog_precedencet::MIN,
+           convert_sva_abort(
+             "disable iff", to_sva_sequence_disable_iff_expr(src));
+
   else if(src.id()==ID_sva_eventually)
   {
     return precedence = verilog_precedencet::MIN,

src/verilog/expr2verilog_class.h

@@ -12,7 +12,6 @@ Author: Daniel Kroening, [email protected]
 #include <util/bitvector_expr.h>
 #include <util/std_expr.h>
 
-class sva_abort_exprt;
 class sva_case_exprt;
 class sva_if_exprt;
 class sva_ranged_predicate_exprt;
@@ -145,7 +144,7 @@ class expr2verilogt
     const std::string &name,
     const sva_sequence_repetition_exprt &);
 
-  resultt convert_sva_abort(const std::string &name, const sva_abort_exprt &);
+  resultt convert_sva_abort(const std::string &name, const binary_exprt &);
 
   resultt
   convert_sva_indexed_binary(const std::string &name, const binary_exprt &);

src/verilog/parser.y

@@ -2408,6 +2408,7 @@ concurrent_assertion_statement:
 	  assert_property_statement
 	| assume_property_statement
 	| cover_property_statement
+	| cover_sequence_statement
 	| restrict_property_statement
 	;
 
@@ -2470,6 +2471,15 @@ cover_property_statement: TOK_COVER TOK_PROPERTY '(' property_spec ')' action_bl
 		{ init($$, ID_verilog_cover_property); mto($$, $4); mto($$, $6); }
 	;
 
+cover_sequence_statement:
+	  TOK_COVER TOK_SEQUENCE '(' sequence_expr ')' action_block
+		{ init($$, ID_verilog_cover_sequence); mto2($$, $4, $6); }
+	| TOK_COVER TOK_SEQUENCE '(' clocking_event TOK_DISABLE TOK_IFF '(' expression ')' sequence_expr ')' action_block
+		{ init($5, ID_sva_sequence_disable_iff); mto2($5, $8, $10); init($$, ID_verilog_cover_sequence); mto2($$, $5, $12); }
+	| TOK_COVER TOK_SEQUENCE '(' TOK_DISABLE TOK_IFF '(' expression ')' sequence_expr ')' action_block
+		{ init($4, ID_sva_sequence_disable_iff); mto2($4, $7, $9); init($$, ID_verilog_cover_sequence); mto2($$, $4, $11); }
+	;
+
 restrict_property_statement: TOK_RESTRICT TOK_PROPERTY '(' property_spec ')' ';'
 		{ init($$, ID_verilog_restrict_property); mto($$, $4); mto($$, $6); }
 	;

src/verilog/sva_expr.h

@@ -36,6 +36,58 @@ static inline sva_boolean_exprt &to_sva_boolean_expr(exprt &expr)
   return static_cast<sva_boolean_exprt &>(expr);
 }
 
+/// disable_iff for cover sequence
+class sva_sequence_disable_iff_exprt : public binary_exprt
+{
+public:
+  sva_sequence_disable_iff_exprt(exprt condition, exprt sequence)
+    : binary_exprt(
+        std::move(condition),
+        ID_sva_sequence_disable_iff,
+        std::move(sequence),
+        verilog_sva_sequence_typet{})
+  {
+  }
+
+  const exprt &condition() const
+  {
+    return op0();
+  }
+
+  exprt &condition()
+  {
+    return op0();
+  }
+
+  const exprt &sequence() const
+  {
+    return op1();
+  }
+
+  exprt &sequence()
+  {
+    return op1();
+  }
+
+protected:
+  using binary_exprt::op0;
+  using binary_exprt::op1;
+};
+
+static inline const sva_sequence_disable_iff_exprt &
+to_sva_sequence_disable_iff_expr(const exprt &expr)
+{
+  sva_sequence_disable_iff_exprt::check(expr, validation_modet::INVARIANT);
+  return static_cast<const sva_sequence_disable_iff_exprt &>(expr);
+}
+
+static inline sva_sequence_disable_iff_exprt &
+to_sva_sequence_disable_iff_expr(exprt &expr)
+{
+  sva_sequence_disable_iff_exprt::check(expr, validation_modet::INVARIANT);
+  return static_cast<sva_sequence_disable_iff_exprt &>(expr);
+}
+
 /// accept_on, reject_on, sync_accept_on, sync_reject_on, disable_iff
 class sva_abort_exprt : public binary_exprt
 {

src/verilog/verilog_elaborate.cpp

@@ -671,6 +671,7 @@ void verilog_typecheckt::collect_symbols(const verilog_statementt &statement)
     statement.id() == ID_verilog_assume_property ||
     statement.id() == ID_verilog_restrict_property ||
     statement.id() == ID_verilog_cover_property ||
+    statement.id() == ID_verilog_cover_sequence ||
     statement.id() == ID_verilog_expect_property)
   {
   }
@@ -850,7 +851,8 @@ void verilog_typecheckt::collect_symbols(
     module_item.id() == ID_verilog_assert_property ||
     module_item.id() == ID_verilog_assume_property ||
     module_item.id() == ID_verilog_restrict_property ||
-    module_item.id() == ID_verilog_cover_property)
+    module_item.id() == ID_verilog_cover_property ||
+    module_item.id() == ID_verilog_cover_sequence)
   {
   }
   else if(module_item.id() == ID_verilog_assertion_item)

src/verilog/verilog_expr.cpp

@@ -201,7 +201,8 @@ static void dependencies_rec(
     module_item.id() == ID_verilog_assert_property ||
     module_item.id() == ID_verilog_assume_property ||
     module_item.id() == ID_verilog_restrict_property ||
-    module_item.id() == ID_verilog_cover_property)
+    module_item.id() == ID_verilog_cover_property ||
+    module_item.id() == ID_verilog_cover_sequence)
   {
   }
   else if(module_item.id() == ID_verilog_assertion_item)

src/verilog/verilog_expr.h

@@ -2061,7 +2061,8 @@ to_verilog_assert_assume_cover_module_item(
     module_item.id() == ID_verilog_assert_property ||
     module_item.id() == ID_verilog_assume_property ||
     module_item.id() == ID_verilog_restrict_property ||
-    module_item.id() == ID_verilog_cover_property);
+    module_item.id() == ID_verilog_cover_property ||
+    module_item.id() == ID_verilog_cover_sequence);
   binary_exprt::check(module_item);
   return static_cast<const verilog_assert_assume_cover_module_itemt &>(
     module_item);
@@ -2074,7 +2075,8 @@ to_verilog_assert_assume_cover_module_item(verilog_module_itemt &module_item)
     module_item.id() == ID_verilog_assert_property ||
     module_item.id() == ID_verilog_assume_property ||
     module_item.id() == ID_verilog_restrict_property ||
-    module_item.id() == ID_verilog_cover_property);
+    module_item.id() == ID_verilog_cover_property ||
+    module_item.id() == ID_verilog_cover_sequence);
   binary_exprt::check(module_item);
   return static_cast<verilog_assert_assume_cover_module_itemt &>(module_item);
 }
@@ -2124,7 +2126,8 @@ to_verilog_assert_assume_cover_statement(const verilog_statementt &statement)
     statement.id() == ID_verilog_restrict_property ||
     statement.id() == ID_verilog_smv_assume ||
     statement.id() == ID_verilog_immediate_cover ||
-    statement.id() == ID_verilog_cover_property);
+    statement.id() == ID_verilog_cover_property ||
+    statement.id() == ID_verilog_cover_sequence);
   binary_exprt::check(statement);
   return static_cast<const verilog_assert_assume_cover_statementt &>(statement);
 }
@@ -2141,7 +2144,8 @@ to_verilog_assert_assume_cover_statement(verilog_statementt &statement)
     statement.id() == ID_verilog_restrict_property ||
     statement.id() == ID_verilog_smv_assume ||
     statement.id() == ID_verilog_immediate_cover ||
-    statement.id() == ID_verilog_cover_property);
+    statement.id() == ID_verilog_cover_property ||
+    statement.id() == ID_verilog_cover_sequence);
   binary_exprt::check(statement);
   return static_cast<verilog_assert_assume_cover_statementt &>(statement);
 }

src/verilog/verilog_interfaces.cpp

@@ -285,7 +285,8 @@ void verilog_typecheckt::interface_module_item(
     module_item.id() == ID_verilog_assert_property ||
     module_item.id() == ID_verilog_assume_property ||
     module_item.id() == ID_verilog_restrict_property ||
-    module_item.id() == ID_verilog_cover_property)
+    module_item.id() == ID_verilog_cover_property ||
+    module_item.id() == ID_verilog_cover_sequence)
   {
     // done later
   }